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Abstract 

This paper presents the Timed Input/Output Automaton (TIOA) modeling frame- 
work, a basic mathematical framework to support description and analysis of timed 
systems. An important feature of this model is its support for decomposing timed 
system descriptions. In particular, the framework includes a notion of external be- 
havior for a timed I/O automaton, which captures its discrete interactions with its 
environment. The framework also defines what it means for one TIOA to implement 
another, based on an inclusion relationship between their external behavior sets, and 
defines notions of simulations, which provide sufficient conditions for demonstrating 
implementation relationships. The framework includes a composition operation for 
TIOAs, which respects external behavior, and a notion of receptiveness , which implies 
that a TIOA does not block the passage of time. 
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1 Introduction 

1.1 Overview 

Timed computing systems are systems in which desirable correctness or performance prop- 
erties of the system depend on the timing of events, not just on the order of their occur- 
rence. A typical timed system consists of computer components, which operate in discrete 
steps, and timing-related components such as physical or logical clocks, whose behavior in- 
volve continuous transformation over time. Timed systems are employed in a wide range 
of domains including communications, embedded systems, real-time operating systems, 
and automated control. Many applications involving timed systems have strong safety, 
reliability and predictability requirements, which makes it important to have methods for 
systematic design of systems and rigorous analysis of timing-dependent behavior. 

In this paper, we introduce a basic mathematical framework - the Timed Input/Output 
Automaton modeling framework - to support description and analysis of timed systems. 
A Timed I/O Automaton (TIOA) is a kind of nondeterministic, possibly infinite-state, 
state machine. The state of a TIOA is described by a valuation of state variables that are 
internal to the automaton. The state of a TIOA can change in two ways: instantaneously 
by the occurrence of a discrete transition, which is labeled by a discrete action, or according 
a trajectory, which is a function that describes the evolution of the state variables over 
intervals of time. Trajectories may be continuous or discontinuous functions. 

The TIOA framework supports decomposition of system description and analysis. A 
key to this decomposition is the rigorously-defined notion of external behavior for timed 
I/O automata. The external behavior of each TIOA is defined by a simple mathematical 
object called a irace-essentially, a sequence of actions interspersed with time-passage steps. 
Abstraction and parallel composition are other important notions for decomposition of 
system description and analysis. 

For abstraction, the framework includes notions of implementation and simulation, 
which can be used to view timed systems at multiple levels of abstraction, starting from a 
high-level version that describes required properties, and ending with a low-level version 
that describes a detailed design or implementation. In particular, the TIOA framework 
defines what it means for one TIOA, A, to implement another TIOA, B, namely, any 
trace that can be exhibited by A is also allowed by B. In this case, A might be more 
deterministic than B, in terms of either discrete transitions or trajectories. For instance, 
B might be allowed to perform an output action at an arbitrary time before noon, whereas 
A produces the same output sometime between 10 and 11AM. The notion of a simulation 
relation from AtoB provides a sufficient condition for demonstrating that A implements 
B. A simulation relation is defined to satisfy three conditions, one relating start states, 
one relating discrete transitions, and one relating trajectories of A and B. 

For parallel composition, the framework provides a composition operation, by which 
TIOAs modeling individual timed system components can be combined to produce a model 



for a larger timed system. The model for the composed system can describe interactions 
among the components, which involves joint participation in discrete transitions. Com- 
position requires certain "compatibility" conditions, namely, that each output action be 
controlled by at most one automaton, and that internal actions of one automaton cannot 
be shared by any other automaton. The composition operation respects traces, for exam- 
ple, if Ai implements A2 then the composition of Ai and B implements the composition 
of A2 and B. Composition also satisfies projection and pasting results, which are funda- 
mental for compositional design and verification of systems: a trace of a composition of 
TIOAs "projects" to give traces of the individual TIOAs, and traces of components are 
"pastable" to give behaviors of the composition. 

A formal modeling framework needs to support the statement and verification of both 
safety and liveness properties if it is to be of general practical use. A safety property 
specifies the absence of certain undesirable events, while a liveness property specifies that 
certain desirable events eventually occur. The TIOA modeling framework defines the 
notions of safety and liveness properties for a TIOA, and what it means for a pair of safety 
and liveness properties to be machine- closed. Machine-closure refers to the condition that 
a liveness property does not impose safety constraints beyond those already imposed by 
the safety property, and is usually considered to be a reasonable condition to satisfy in 
defining safety and liveness properties for a system. 

The proof of many interesting liveness properties for concurrent systems requires some 
assumption about each activity in the system getting "enough" chances to make progress. 
Fairness properties are special kinds of liveness properties that express this informal idea. 
The TIOA framework includes notions of weak and strong fairness, and results that state 
under which conditions the fair traces of a TIOA can be shown to be included in the fair 
traces of another. 

An interesting complication that arises in the timed setting is the possibility that a 
state machine could exhibit the so called Zeno behavior, by allowing time to approach 
a finite point in time without quite reaching it, or by scheduling infinitely many discrete 
actions to happen in a finite amount of time. The TIOA framework includes a notion 
of receptiveness, which is used to classify automata that do not contribute to producing 
Zeno behavior, and which is preserved by composition. Receptiveness of a TIOA, A, in 
the TIOA framework is defined in terms of the existence of a strategy, which is defined as a 
subautomaton of A that chooses some of the evolutions from each state of A. This simple 
notion of a strategy is used also in the statement of results that identify the conditions 
under which the outcome of a system's interactions with its environment satisfies a liveness 
property. 

The TIOA modeling framework presented in this paper has evolved from the recently 
introduced Hybrid Input/Output Automaton (HIOA) modeling framework for hybrid sys- 
tems [22] by Lynch, Segala and Vaandrager. Our approach is based on the assumption 
that a timed system can be viewed as a special kind of a hybrid system where the contin- 
uous transformation is limited to internal system components that determine the timing 
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of events. Therefore, we define a TIOA as a restricted HIOA where the only essential 
difference between an HIOA and a TIOA is that an HIOA may have external variables 
to model the continuous information flowing into and out of the system, in addition to 
state variables. A major consequence of this definition is that the communication between 
TIOAs is restricted to shared-action communication only. The TIOA model does not 
impose any further restrictions on the expressive power of the HIOA model. 

We have undertaken the project of developing this new modeling framework even 
though there are several timed automaton models that extend the basic I/O automaton 
model [29, 36, 27, 25], because we have observed that the new HIOA modeling framework 
of Lynch, Segala and Vaandrager offered a way of improving and simplifying previous 
work on timed I/O automaton models [36, 27, 25]. For example, the use of trajectories as 
first-class objects to represent the external behavior of a timed automaton, the definition 
of a strategy as an automaton rather than a two-player game, and the variable structure 
on states are all new features that were motivated by what we learned in developing the 
HIOA framework and that gave rise to more elegant definitions and simpler proofs for 
timed automata. 

We intend the TIOA model to serve as a general semantic framework in which previous 
results for timed I/O automata [27, 29, 36, 25] and other related models [6, 28, 32, 11] 
can be re-cast in a style that is upwardly compatible with the new HIOA model. Limiting 
the communication to discrete interactions is an apt choice since the previous timed I/O 
automaton models also adopt this type of communication. On the other hand, by avoid- 
ing any further restrictions on the general hybrid model, we obtain an expressive model 
suitable for specifying complex timing behavior. For example, our model does not require 
variables to be either discrete or to evolve at the same rate as real-time as in some other 
models [6, 32]. Consequently, algorithms such as clock synchronization algorithms that 
use local clocks evolving at different and varying rates can be formalized naturally in our 
framework. 

The fact that HIOAs subsume TIOAs as a special class does not eliminate the need 
for having a separate modeling framework for timed systems. First, having no external 
variables in the TIOA model gives rise to considerable simplifications in the theory. For 
example, proving that the composition of two timed automata is a well-defined automaton 
becomes simpler in the absence of external variables; no extra compatibility conditions as 
in the general HIOA framework are needed to obtain the desirable composition theorems 
for TIOAs. 

Second, we believe that focusing on the TIOA model presented in this paper is com- 
patible with our longer-term goal of developing a unified I/O automaton model that can 
address timing-dependent, probabilistic and general hybrid behavior in a common frame- 
work. We are planning to start out with a probabilistic model with discrete interactions 
only, and then extend the model to handle timing-dependent behavior, and only at later 
stages consider continuous interactions. It would be harder to integrate probabilistic mech- 
anisms into the full hybrid model than it would be to integrate them into the TIOA model 



presented here. 

1.2 Related work 

One of the widely-used formal frameworks for timed systems is that of Alur-Dill timed 
automata [6, 4]. An Alur-Dill automaton is a finite directed multigraph augmented with 
a finite set of clock variables. The semantics of such a timed automaton are defined as a 
state transition system in which each state consists of a location and a clock valuation. 
Clocks are assumed to change at the same time as real-time. The aim of facilitating 
automated verification based on reachability analysis seems to be the main motivation 
for the restrictions on the expressive power of the model. The timed automaton model 
presented in this paper is more expressive than the model of Alur-Dill automata. In our 
model, there are no finiteness assumptions and no restrictions imposed on the dynamic type 
of variables. We give a semantics for Alur-Dill automata by using a restricted class of our 
timed automata. Alur-Dill timed automata have been extensively studied with a formal 
language theoretic-view. Our focus, on the other hand, has been to develop a general 
formal framework with a well-defined notion of external behavior, parallel composition 
and abstraction that supports reasoning with simulation relations. 

Uppaal [32, 21] is a widely-used modeling and verification tool for timed systems. It 
supports the description of systems as a network of Alur-Dill timed automata and enhances 
that model with CCS-style communication [30] along with other notions such as committed 
and urgent locations. Uppaal also supports communication via shared variables. Uppaal 
has a sophisticated model-checker that explores the whole state space of the modeled 
system to verify timing properties. Therefore, finiteness assumptions are built into the 
model to make such verification possible and the operations on clocks are restricted. For 
example, it is not possible to add the current value of a clock to a message as a timestamp 
when it is placed in a buffer. One of our plans for the near future is to work on a formal 
semantics for Uppaal based on some variation of our restricted hybrid I/O automaton 
model. There are several small mismatches due to the style of communication and notions 
such as committed locations but we intend to investigate to what extent we can use 
the communication mechanisms of our automata to model these formally. We could, for 
example, allow a non-empty set of external variables with restricted dynamic types and 
seek restrictions on the use of shared variables in Uppaal which would allow us to view 
these variables as external variables in the HIOA sense. 

A slight generalization of Alur-Dill timed automata are the linear hybrid automata 
of [5]. In this model, apart from clocks that progress with rate 1, one can also use 
continuous variables whose derivatives are contained in some arbitrary interval. A well- 
known model checking tool for linear hybrid automata is HyTech [17]. The input language 
of HyTech can easily be translated into our TIOA model. 

The timed I/O automaton modeling framework presented in this paper can be used 
to express models that use lower and upper time bounds on tasks or actions [29, 28]. 



Our framework includes an operation for adding time bounds on a subset of the actions 
of a timed automaton. As a result of this operation, lower bounds are transformed to 
appropriate preconditions for transitions and upper bounds are transformed to stopping 
conditions for trajectories. 

An interesting timed automaton model called "Clock GTA " has been introduced 
in [11]. The model was used for describing algorithms that behave in accordance with 
their timing constraints in certain intervals but may exhibit timing failures for some other 
intervals. The possibility of expressing such an ability turns out to be crucial for perfor- 
mance and fault-tolerance analysis for practical algorithms [11, 26]. We are interested in 
finding a systematic way of describing such behavior with our new timed I/O automaton 
model. 

1.3 Paper Organization 

The rest of this paper is organized as follows. Section 2 contains mathematical preliminar- 
ies. Section 3 defines notions that are useful for describing the behavior of timed systems, 
most importantly, trajectories and timed sequences. Section 4 defines timed automata 
(TAs), which contain all of the structure of TIOAs except for the classification of external 
actions as inputs or outputs. It also defines external behavior for TAs and implementation 
and simulation relationships between TAs. Section 5 presents composition and hiding op- 
erations for TAs, along with operations for untiming and adding bounds that relate TIOAs 
to other timed automaton models. Section 6 presents definitions and results on the clas- 
sification of properties of TAs as safety and liveness properties. Section 7 defines timed 
I/O automata (TIOAs) by adding an input/output classification to TAs, and extends the 
theory of TAs to TIOAs. It also defines special kinds of TIOAs such as progressive and 
receptive TIOAs. Section 8 presents compositionality results for TIOAs in general, and 
for the special classes of progressive and receptive TIOAs. Section 9 presents a theory 
for properties for TIOAs focusing on receptiveness for properties. Examples are included 
throughout. 

2 Mathematical Preliminaries 

In this section, we give basic mathematical definitions and notation that will be used 
as a foundation for our definitions of timed automata and timed I/O automata. These 
definitions involve functions, sequences, partial orders, and untimed automata. 

2.1 Functions and Relations 

If / is a function, then we denote the domain and range of / by dom{f) and range{f), 
respectively. If also 5 is a set, then we write / [ 5 for the restriction of / to S, that is, the 
function g with dom{g) = dom{f) n S such that g{c) = f{c) for each c G dom{g). 
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We say that two functions / and g are compatible if / \ dom{g) = g \ dom{f). If 
/ and g are compatible functions then we write / U g for the unique function h with 
dom{h) = dom{f) U dom{g) satisfying the condition: for each c G dom{h), if c G dom{f) 
then /i(c) = /(c) and if c G dom{g) then h{c) = g{c). More generally, if F is a set of 
pairwise compatible functions then we write |J F for the unique function h with dom{h) = 
\J{dom{f) \ f E F} satisfying the condition: for each f E F and c G dom{f), h{c) = f{c). 

If / is a function whose range is a set of functions and 5 is a set, then we write f i S 
for the function g with dom{g) = dom{f) such that g{c) = f{c) \ S for each c G dom{g). 
The restriction operation | is extended to sets of functions by pointwise extension. Also, 
if / is a function whose range is a set of functions, all of which have a particular element d 
in their domain, then we write / | d for the function g with dom{g) = dom{f) such that 
g{c) = /(c) (d) for each c G dom{g). 

We say that two functions / and g whose ranges are sets of functions are pointwise 
compatible if for each c G dom{f) fl dom{g), f{c) and g{c) are compatible. If / and g have 
the same domain and are pointwise compatible, then we denote hj f (jg the function h 
with dom{h) = dom{f) such that h{c) = /(c) Up(c) for each c. 

A relation over sets X and Y is defined to be any subset of X xY. If i? is a relation, 
then we denote the domain and range of R by dom{R) and range{R), respectively. A 
relation over X and Y is total over X if dom{R) = X. We say that a relation R over X 
and Y is image-finite if for each x E X, R{x) is finite. 

2.2 Sequences 

Let S be any set. A sequence over 5 is a function from a downward-closed subset of 
Z^ to S. Thus, the domain of a sequence is either the set of all positive integers, or is 
of the form {1, . . . , A;} for some k. In the first case we say that the sequence is infinite, 
and in the second case finite. We use \a\ to denote the cardinality of dom{a). number 
of elements in a. The sets of finite and infinite sequences over S are denoted by S* and 
S^, respectively. Concatenation of a finite sequence with a finite or infinite sequence is 
denoted by juxtaposition. We use A to denote the empty sequence, that is, the sequence 
with the empty domain. The sequence containing one element c G S is abbreviated as c. 
We say that a sequence cr is a prefix of a sequence /?, denoted hj a < p, ii a = p\ dom{a). 
Thus, cr < p if either cr = /?, or cr is finite and p = aa' for some sequence a' . If cr is a 
nonempty sequence then head (a) denotes the first element of a and tail (a) denotes a with 
its first element removed. Moreover, if cr is finite, then last{a) denotes the last element of 
a and init{a) denotes a with its last element removed. Let a and a' be sequences over S. 
Then a' is a subsequence of a provided that there exists a monotone increasing function 
/ : dom{a') — > dom{a) such that a'{i) = a-{f{i)) for all i G dom{a'). If 1 < ji < J2 < |cr|, 
then we define cr(ji . . . J2) to be the subsequence of a obtained by extracting the elements 
in positions ji, . . . , J2; that is, a' is the subsequence obtained from function / of length 
J2 — Ji + 1, where /(«)=«+ Ji — 1 for all i. 
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2.3 Partial Orders 

We recall some basic definitions and results regarding partial orders, and in particular, 
complete partial orders (epos) from [15, 16]. A partial order is a set S together with a 
binary relation C that is reflexive, antisymmetric, and transitive. In the sequel, we usually 
denote posets by the set S without explicit mention to the binary relation C. 

A subset P C S is bounded (above) if there is a c G 5 such that d Q c for each d & P; 
in this case, c is an upper bound for P. A least upper bound (lub) for a subset P C 5 is an 
upper bound c for P such that c < d for every upper bound d for P. If P has a lub, then 
it is necessarily unique, and we denote it by |J P. A subset P C 5 is directed if every finite 
subset Q of P has an upper bound in P. A poset S is complete, and hence is a complete 
partial order (cpo) if every directed subset P of 5 has a lub in S. 

We say that P' C S dominates PCS, denoted by P C P', if for every c & P there 
is some c' G P' such that c C c'. We use the following two simple lemmas, adapted from 
[16] [Lemmas 3.1.1 and 3.1.2]. 

Lemma 2.1 7/ P, P' are directed subsets of a cpo S and P Q P' then \_\P Q\_\P' ■ 

Lemma 2.2 Let P = {cij | « G /,j G J} be a doubly indexed subset of a cpo S. Let Pi 
denote the set {cij | j G J} for each i & I. Suppose 

1. P is directed, 

2. each Pi is directed with lub Ci, and 

3. the set {ci \ i E 1} is directed. 
Then UP = U{ci \i e I}. 

A finite or infinite sequence of elements, cq ci C2 . . ., of a partially ordered set {S, C) 
is called a chain if Ci C Cj+i for each non- final index i. We define the limit of the chain, 
limj_).oo Cj, to be the lub of the set {cq, ci, C2, . . .} if 5 contains such a bound; otherwise, 
the limit is undefined. Since a chain is a special case of a directed set, each chain of a cpo 
has a limit. 

A function / : 5 — )■ S" between posets S and S" is monotone if /(c) C f{d) whenever 
c Q d. If / is monotone and P is a directed set, then the set /(P) = {/(c) \ c E P} is 
directed as well. If / is monotone and f{\_\P) = \_\fiP) for every directed P, then / is 
said to be continuous. 

An element c of a cpo S is compact if, for every directed set P such that c C |J P, 
there is some d E P such that c Q d. We define K(S') to be the set of compact elements 
of S. A cpo S is algebraic if every c G 5 is the lub of the set {d G K(5') \ d Q c}. 
A simple example of an algebraic cpo is the set of finite or infinite sequences over some 
given domain, equipped with the prefix ordering. Here the compact elements are the finite 
sequences. 
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2.4 A Basic Graph Lemma 

Lemma 2.3 Let G be an infinite directed graph that satisfies the following properties. 

1. G has finitely many roots. 

2. Each node of G has finite outdegree. 

3. Each node of G is reachable from some root of G. 
Then, there is an infinite path in G starting from some root. 

Proof: The proof is an extension of Konig's Lemma [20]. ■ 

2.5 Untimed Automata 

An untimed automaton (UA) A is defined as a tuple {Q,@,E,H,V) which consists of: 

• A set Q of states. 

• A non-empty set © C Q of start states. 

• A set E of external actions and a set H of internal actions, disjoint from each other. 
We write A = EUH. 

• A set V C Q X A X Q of discrete transitions. 

An execution fragment of an untimed automaton A is either a finite sequence 
So fli si a2 • • • o,n Sn or an infinite sequence sq ai si 02 • • •, of alternating states and actions of 
A such that (sk, a^+i, s^+i) is in V for every non-final index k where k > 0. An execution 
fragment beginning with a start state is called an execution. If a is an execution fragment 
of A, then the trace of a is defined as the subsequence of a consisting of all the external 
actions. 

If cr is a finite execution fragment of an automaton A and a' is any execution fragment 
of A that begins with the last state of a, then we write a '^ a' to represent the sequence 
obtained by concatenating a and a', eliminating the duplicate occurrence of the last state 
of a. It is easy to see that, ct ^ <t' is also an execution fragment of A. 

3 Describing Timed System Behavior 

In this section, we give basic definitions that are useful for describing discrete and con- 
tinuous changes to the system's state. The key notions are static and dynamic types for 
variables, trajectories, and hybrid sequences. Most of the material in this section comes 
from the paper on the HIOA modeling framework [22]. The reader is referred to [22] for 
the proofs that are not included here. 
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3.1 Time 

Throughout this paper, we fix a time axis T, which is a subgroup of (R, +), the real 
numbers with addition. We assume that every infinite, monotone, bounded sequence of 
elements of T has a limit in T. The reader may find it convenient to think of T as the set 
R of real numbers, but the set Z of integers and the singleton set {0} are also examples of 
allowed time axes. We define T-° = {i G T | i > 0}. 

An interval J is a nonempty, convex subset of T. We denote intervals as usual: [ii, ^2] = 
{t G T I ti < i < ^2}, [^15*2) = {i G T I ii < i < ^2} etc. An interval J is left-closed 
(right- closed) if it has a minimum (resp., maximum) element, and left-open (right-open) 
otherwise. It is closed if it is both left-closed and right-closed. We write min( J) and max( J) 
for the minimum and maximum elements, respectively, of an interval J (if they exist), and 
inf(J) and sup(J) for the infimum and supremum, respectively, of J in R U { — 00,00}. 
For K C J and i G T, we define K + t = {t' + t \ t' E K}. Similarly, for a function / 
with domain K, we define / + 1 to be the function with domain K + t satisfying, for each 

t'eK + t,(f+t)(t')=f(t'-t). 

In some definitions and theorems in the paper where we use R as the time domain we 
assume that the relation < on R extends to a relation on R U {00} such that 00 < 00 and 
for alH G R, t < 00. 

3.2 Static and Dynamic Types 

We assume a universal set V of variables. A variable represents a location within the state 
of a system. For each variable v, we assume both a (static) type, which gives the set of 
values it may take on, and a dynamic type, which gives the set of trajectories it may follow. 
Formally, for each variable v we assume the following: 

• type(v), the (static) type of v. This is a nonempty set of values. 

• dtype(v), the dynamic type of v. This is a set of functions from left-closed intervals 
of T to type(v) that satisfies the following properties: 

1. (Closure under time shift) 

For each / G dtype(v) and t G T, / + 1 G dtype(v). 

2. (Closure under subinterval) 

For each / G dtype(v) and each left-closed interval J C dom(f), / [ J G 
dtype(v). 

3. (Closure under pasting) 

Let /o /i /2, • • • be a sequence of functions in dtype(v) such that, for each index i 
such that fi is not the final function in the sequence, dom(fi) is right-closed and 
max((iom(/i)) = min((iom(/i_|_i)). Then the function / defined by f(t) = fi(t), 
where i is the smallest index such that t G dom(fi), is in dtype(v). 
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Example 3.1 (Discrete variables) Let v be any variable and let Constant be the set 
of constant functions from a left-closed interval of T to type{v). Then Constant is closed 
under time shift and subinterval. If the dynamic type of v is obtained by closing Constant 
under the pasting operation, then v is called a discrete variable. This is essentially the 
same as the definition of a discrete variable in [28]. ■ 

Example 3.2 (Analog variables) Assume that T = R. Let v be any variable whose 
static type is an interval of R and Continuous be the set of continuous functions from 
a left-closed interval of T to type{v). Then Continuous is closed under time shift and 
subinterval. If the dynamic type of v is obtained by closing Continous under the pasting 
operation, then v is called an analog variable. ■ 

Example 3.3 (Standard real- valued function classes) If we take T = R and type{v) = 
R, then other examples of dynamic types can be obtained by taking the pasting closure of 
standard function classes from real analysis, the set of differentiable functions, the set of 
functions that are differentiable k times (for any k), the set of smooth functions, the set 
of integrable functions, the set of L^ functions (for any p), the set of measurable locally 
essentially bounded functions [37], or the set of all functions. ■ 

Standard function classes are closed under time shift and subinterval, but not under 
pasting. A natural way of defining a dynamic type is as the pasting closure of a class of 
functions that is closed under time shift and subinterval. In such a case, it follows that 
the new class is closed under all three operations. 

3.3 Trajectories 

In this subsection, we define the notion of a trajectory, define operations on trajectories, 
and prove simple properties of trajectories and their operations. A trajectory is used to 
model the evolution of a collection of variables over an interval of time. 



3.3.1 Basic Definitions 

Let F be a set of variables, that is, a subset of V. A valuation v for F is a function that 
associates with each variable v & V a value in type{v). We write val{V) for the set of 
valuations for V. Let J be a left-closed interval of T with left endpoint equal to 0. Then a 
J -trajectory for F is a function t : J ^ val{V), such that for each u G F, r | f G dtype{v). 
A trajectory for F is a J-trajectory for V , for any J. We write trajs{ V) for the set of all 
trajectories for V . 

A trajectory for V with domain [0, 0] is called a point trajectory for V . If v is a 
valuation for V then p(v) denotes the point trajectory for V that maps to v. We say 
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that a J-trajectory is finite if J is a finite interval, closed if J is a (finite) closed interval, 
open if J is a right-open interval, and full if J = T-°. If T is a set of trajectories, then 
finite{T), closed{T), open{T), and full{T) denote the subsets of T consisting of all the 
finite, closed, open, and full trajectories in T, respectively. 

If T is a trajectory then T.ltime, the limit time of r, is the supremum of dom{T). We 
define r.fval, the first valuation of r, to be t(0), and if r is closed, we define r.lval, the 
last valuation of r, to be T{T.ltime). For r a trajectory and t G T-°, we define 



A 



T<t = Tr[o,t], 
T<t = Tr[o,t), 

r>t = (T[[t,oo)) -i. 



Note that, since dynamic types are closed under time shift and subintervals, the result of 
applying the above operations is always a trajectory, except when the result is a function 
with an empty domain. By convention, we also write r < oo = r and r <1 oo = r. 

3.3.2 Prefix Ordering 

Trajectory r is a prefix of trajectory v, denoted by r < t;, if r can be obtained by restricting 
t; to a subset of its domain. Formally, if r and v are trajectories for V , then t < v \S. 
T = V \ dom{T). Alternatively, r < t; iff there exists a t G T-" U {00} such that t = v <t 
01 T = V <\t. li T < V then clearly dom{T) C dom{v). If T is a set of trajectories for V , 
then pref{T) denotes the prefix closure of T, defined by: 

pref{T) = {t e trajs{ V) \3v eT : t <v}. 

We say that T is prefix closed if T = pref{T). 

The following lemma gives a simple domain-theoretic characterization of the set of 
trajectories over a given set V of variables: 

Lemma 3.4 Let V he a set of variables. The set trajs{V) of trajectories for V, together 
with the prefix ordering <, is an algebraic cpo. Its compact elements are the closed trajec- 
tories. 



3.3.3 Concatenation 

The concatenation of two trajectories is obtained by taking the union of the first trajectory 
and the function obtained by shifting the domain of the second trajectory until the start 
time agrees with the limit time of the first trajectory; the last valuation of the first 
trajectory, which may not be the same as the first valuation of the second trajectory, is 
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the one that appears in the concatenation. Formally, suppose r and r' are trajectories for 
V, with T closed. Then the concatenation r """ r' is the function given by 



^ / A 
T T = T 



U (r' [(0, oo) + T.Uime). 



Because dynamic types are closed under time shift and pasting, it follows that r ^ r' is a 
trajectory for V . Observe that r ^ r' is finite (resp., closed, full) if and only if r' is finite 
(resp., closed, full). Observe also that concatenation is associative. 

The following lemma, which is easy to prove, shows the close connection between 
concatenation and the prefix ordering. 

Lemma 3.5 Let r and v be trajectories for V with r closed. Then 



T < V 4^ 3t' : V 



T T . 



Note that ii t < v, then the trajectory r' such that v = t^' t' is unique except that it has 
an arbitrary value for r'.fval. Note also that the "<^" implication in Lemma 3.5 would 
not hold if the first valuation of the second argument, rather than the last valuation of 
the first argument, were used in the concatenation. 

We extend the definition of concatenation to any (finite or countably infinite) number 
of arguments. Let tq n T2 . . . be a (finite or infinite) sequence of trajectories such that tj 
is closed for each nonfinal index i. Define trajectories Tq, t{, Tg, . . . inductively by 

/ A 

Tj'_|_^ = T- '^ Ti_|_i for nonfinal i. 

Lemma 3.5 implies that for each nonfinal «, r^' < Tj'_|_^. We define the concatenation 
To ^ Ti ^ T2 • • • to be the limit of the chain Tqt[t2 ■ ■ ■; existence of this limit follows from 
Lemma 3.4. 



3.4 Hybrid Sequences 

In this subsection, we introduce the notion of a hybrid sequence, which is used to model a 
combination of changes that occur instantaneously and changes that occur over intervals 
of time. Our definition is parameterized by a set A of actions, which are used to model 
instantaneous changes and instantaneous synchronizations with the environment, and a 
set V of variables, which are used to model changes over intervals of time. We also define 
some special kinds of hybrid sequences and some operations on hybrid sequences, and give 
basic properties. 
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3.4.1 Basic Definitions 

Fix a set A of actions and a set V of variables. An (^4, V)-sequence is a finite or infinite 
alternating sequence a = tq ai ti a2 T2 ■ ■ ., where 

1. each Tj is a trajectory in trajs{V), 

2. each Oj is an action in A, 

3. if q; is a finite sequence then it ends with a trajectory, and 

4. if Tj is not the last trajectory in a then dom{Ti) is closed. 

A hybrid sequence is an [A, y)-sequence for some A and V. 

Since the trajectories in a hybrid sequence can be point trajectories our notion of 
hybrid sequence allows a sequence of discrete actions to occur at the same real time, with 
corresponding changes of variable values. An alternative approach is described in [34], 
where state changes at a single real time are modeled using a notion of "superdense time" . 
Specifically, hybrid behavior is modeled in [34] using functions from an extended time 
domain, which includes countably many elements for each real time, to states. 

If q; is a hybrid sequence, with notation as above, then we define the limit time of a, 
a.ltime, to be ^^ Ti.ltime. A hybrid sequence a is defined to be: 

• time-bounded if a.ltime is finite. 

• admissible if a.ltime = oo. 

• closed if q; is a finite sequence and the domain of its final trajectory is a closed 
interval. 

• Zeno if a is neither closed nor admissible, that is, if a is time-bounded and is either 
an infinite sequence, or else a finite sequence ending with a trajectory whose domain 
is right-open. 

• non-Zeno if a is not Zeno. 

For any hybrid sequence a, we define the first valuation of a, a.fval, to be head{a).fval. 
Also, if q; is closed, we define the last valuation of a, a.lval, to be last{a).lval, that is, the 
last valuation in the final trajectory of a. 

If q; is a hybrid sequence of the form tq oiti a2T2 ■ ■ ■, we use actions (a) to denote the 
sequence ai 02 a^ . . ., which is obtained by discarding the trajectories in a. 

If q; is a closed (j4, F)-sequence, where V = $ and (3 G trajs{$), we call a '^ (3 a 
time- extension of a. 
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3.4.2 Prefix Ordering 

We say that (A, F)-sequence o; = tq ai n . . . is a prefix of (^4, F)-sequerLce (3 = vobivi . . ., 
denoted hj a < (3, provided that (at least) one of the following holds: 

1. a = /3. 

2. q; is a finite sequence ending in some t^; u = Vi and flj+i = 6i+i for every «, < i < A;; 
and Tk <Vk. 

Like the set of trajectories over V, the set of [A, y)-sequences is an algebraic cpo: 

Lemma 3.6 Let V be a set of variables and A a set of actions. The set of {A,V)- 
sequences, together with the prefix ordering <, is an algebraic cpo. Its compact elements 
are the closed {A,V)- sequences. 

3.4.3 Concatenation 

Suppose a and a' are (^4, F)-sequences with a closed. Then the concatenation o; ^ a' is 
the (A, F)-sequence given by 



a a 



J ^ 



init{a) {last{a) '^ head{a')) tail{a'). 



(Here, init, last, head and tail are ordinary sequence operations.) 

Lemma 3.7 Let a and (3 be (A, V) -sequences with a closed. Then 

a < (3 -^ 3a' : (3 = a'^ a'. 

Note that ii a < (3, then the [A, y)-sequence a' such that (3 = a^ a' is unique except 
that it has an arbitrary value in val{V) for a'.fval. 

As we did for trajectories, we extend the concatenation definition for (^4, F)-sequences 
to any finite or infinite number of arguments. Let aoai ... be a finite or infinite sequence 
of (A, F)-sequences such that Ofj is closed for each nonfinal index i. Define (A, F)-sequences 
QfQ, a'l, . . . inductively by 

/ A 

Qfg = QfO, 

a'i^i = a'i'^ Qfj+i for nonfinal i. 

Lemma 3.7 implies that for each nonfinal «, o;^ < Q;^_|_i. We define the concatenation 
Qfo ^ cvi • • • to be the limit of the chain Ofg a'l . . .; existence of this limit is ensured by 
Lemma 3.6. 
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3.4.4 Restriction 

Let A and A' be sets of actions and let V and V be sets of variables. The {A',V')- 
restriction of an (^4, F)-sequence a, denoted by a \{A' , V), is obtained by first projecting 
all trajectories of a on the variables in V' , then removing the actions not in A', and finally 
concatenating all adjacent trajectories. Formally, we define the (A', y)-restriction first 
for closed (A, F)-sequences and then extend the definition to arbitrary {A, y)-sequences 
using a limit construction. The definition for closed {A, y)-sequences is by induction on 
the length of those sequences: 



T \{A' , V') = T I y' if T is a single trajectory, 

r.r,.UA'V') - S i(^\iA',V'))a{riV') \{ a e A' , 
' ^ ' ^ \ (a \(A', V')) - (r ; V) otherwise. 

It is easy to see that the restriction operator is monotone on the set of closed [A, V)- 
sequences. Hence, if we apply this operation to a directed set, the result is again a directed 
set. Together with Lemma 3.6, this allows us to extend the definition of restriction to 
arbitrary (^4, F)-sequences by: 

a \{A', V') = U{/3 \{A', V') | /3 is a closed prefix of a}. 
Lemma 3.8 {A' ,V') -restriction is a continuous operation. 
Lemma 3.9 (aQ-^ ai^ ■■ •) \{A, V) = «o \{A, V) -^ ai \{A, V)-^ .... 
Lemma 3.10 {a \{A, Vj) \{A', V) = a\{An A\ VnV). 
Lemma 3.11 Let a be a hybrid sequence A a set of actions and V a set of variables. 

1. a is time-bounded if and only if a \{A, V) is time-bounded. 

2. a is admissible if and only if a \{A, V) is admissible. 

3. If a is closed then a \{A, V) is closed. 

4. If a is non-Zeno then a \{A,V) is non-Zeno. 

Example 3.12 (A Zeno execution with a closed {A, y)-restriction) In order to 
understand why we have an implication in only one direction in items 3 and 4, consider the 
Zeno sequence a of the form p(v) a p(v) a p(v) .... Let j4 be a set such that a ^ A and let 
V consist of the variables in dom{-v). Obviously, a \{A,V), which is p(v), is closed, and 
hence also non-Zeno. This shows that the fact that a \{A, V) is closed (resp., non-Zeno) 
does not imply that a is closed (resp., non-Zeno). ■ 
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4 Timed Automata 

In this section, as a preliminary step toward defining timed I/O automata, we define a 
slightly more general timed automaton model. In timed automata, actions are classified as 
external or internal, but external actions are not further classified as input or output; the 
input/output distinction is added in Section 7. We define how timed automata execute 
and define implementation and simulation relations between timed automata. 

4.1 Definition of Timed Automata 

A timed automaton is a state machine whose states are divided into variables, and that 
has a set of discrete actions, some of which may be internal and some external. The state 
of a timed automaton may change in two ways: by discrete transitions, which change 
the state atomically, and by trajectories, which describe the evolution of the state over 
intervals of time. The discrete transitions are labeled with actions; this will allow us to 
synchronize the transitions of different timed automata when we compose them in parallel. 
The evolution described by a trajectory may be described by continuous or discontinuous 
functions. 

Formally, a timed automaton (TA) A = {X, Q, ©, E, H, V, T) consists of: 

• A set X of internal variables. 

• A set Q C val{X) of states. 

• A nonempty set © C Q of start states. 

• A set £■ of external actions and a set H of internal actions, disjoint from each other. 
We write A = EV}H. 

• A set "D C Q X yl X Q of discrete transitions. 

We use X — )-^ x' as shorthand for (x,a,x') G V. Here and elsewhere, we sometimes 
drop the subscript and write x -^ x', when we think A should be clear from the 
context. We say that a is enabled in x if x — )■ x' for some x'. We say that a set C 
of actions is enabled in a state x if some action in C is enabled in x. 

• A set T of trajectories for X such that T(i) G Q for every t & T and t G domir). 
Given a trajectory r G T we denote r.fval by r.fstate and, if r is closed, we denote 
T.lval by T.lstate. When r.fstate = x and r.lstate = x', we sometimes write x — )-^ x'. 
We require that the following axioms hold: 

TO (Existence of point trajectories) 
If X G Q then p(x) G T. 
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Tl (Prefix closure) 

For every t & T and every t' < t, t' E T. 

T2 (Suffix closure) 

For every t E T and every t G dom{T), t >t E T. 

T3 (Concatenation closure) 

Let To Tl T2 . . . be a sequence of trajectories in T such that, for each nonfinal 
index «, tj is closed and Ti.lstate = Ti+i.f state. Then tq'^ ti'^ T2- • • E T. 

Thus, a timed automaton is essentially a hybrid automaton in the sense of [22] in 
which W, the set of external variables, is empty. (The only difference is the addition of 
the axiom TO, which does not affect any of the results of [22].) This definition differs from 
previous definitions of timed automata [25, 36] in two major respects. First, the states are 
structured using variables, which have dynamic types with specific closure properties. The 
variable structure is convenient for writing specifications and the dynamic types are useful 
in analyzing continuous evolution of the state. Second, the set of trajectories is defined 
as an explicit component of an automaton. In the previous definitions, time-passage was 
represented by special time-passage actions and trajectories were defined implicitly, as 
auxiliary functions describing the effects of time-passage actions on states. 

Notation: We often denote the components of a TA A by X_^, Q^, ©^, E^, etc., and 
the components of a TA Ai by Xj, Qj, ©j, -E'j, etc. We sometimes omit these subscripts, 
where no confusion seems likely. In examples we typically specify sets of trajectories using 
differential and algebraic equations and inclusions. Below we explain a few notational 
conventions that help us in doing this. Suppose the time domain T is R, t is a (fixed) 
trajectory over some set of variables F, and v eV . With some abuse of notation, we use 
the variable name v to denote the function t \. v \n domir) — > type{v), which gives the 
value of V at all times during trajectory t. Similarly, we view any expression e containing 
variables from F as a function with domain dom{T). Suppose that u is a variable and e is 
a real-valued expression containing variables from V . Using these conventions we can say, 
for example, that t satisfies the algebraic equation 



which means that, for every t G dom{T), v{t) = e(t), that is, the constraint on the variables 
expressed by the equation v = e holds for each state on trajectory t. Now suppose also 
that e, when viewed as a function, is integrable. Then we say that t satisfies 

d{v) = e 

if, for every t G dom{T), v{t) = v{0) + Jq e{t')dt'. Equivalently, for every ii,i2 G dom{T) 
such that ii < t2, v{t2) = v{ti)+f^ ^ e{t')dt'. Note that this interpretation of the differential 
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equation makes sense even at points where v is not differentiable. A similar interpretation 
of differential equations is used by Polderman and Willems [35], who call functions defined 
in this way "weak solutions" . 

We generalize this notation to handle inequalities as well as equalities. Suppose that v 
is a variable and e is a real- valued expression containing variables from V. The inequality 

e < V 

means that, for every t G dom{T), e{t) < v{t). That is, the constraint expressed by the 
inequality e < v holds for each state of trajectory r. Similarly, the inequality 

V < e 

means that, for every t G dom{T), v{t) < e{t). Now suppose that e is integrable when 
viewed as a function. Then we say that r satisfies 

e < d{v) 
if, for every ii,i2 G dom{T) such that ti < t2, v{ti) + f^^ e{t')dt' < v{t), and r satisfies 

d{v) < e 
if, for every ti,i2 G dom{T) such that ii < t2, v{t2) < v{ti) + f^^ e{t')dt'. 

Conventions for automata specifications: In all the examples of this paper we as- 
sume that T = R. The static type of a variable v is always written explicitly. Discrete and 
analog variables are designated using the keywords discrete and analog respectively. The 
definition of what it means for a variable to be discrete or analog is given in Examples 3.1 
and 3.2. Although timed automata may contain variables that are neither discrete nor 
analog, none of our examples use such variables. 

The transitions are specified in precondition-effect style. A precondition clause spec- 
ifies the enabling condition for an action. The effect clause contains a list of statements 
that specify the effect of performing that action on the state. All the statements in an 
effect clause are assumed to be executed sequentially in a single indivisible step. The 
absence of a specified precondition for an action means that the action is always enabled 
and the absence of a specified effect means that performing the action does not change 
the state. 

The trajectories are specified by using a variation of the language presented in [31]. A 
satisfies clause contains a list of predicates that must be satisfied by all the trajectories. 
This clause is followed by a stops when clause. If the predicate in this clause becomes 
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Automaton TimedChannel{b,M) ^vhere fe £ R^ 



Variables X : 

States Q : 
Actions A : 
Transitions V 



discrete queue, a finite sequence of elements of Af x R initially empty 
analog now 6 R initially 

val{X) 

external send{m,),receive{m,) where m ^ M 

external send{m) 
effect 

add {m, now + b) to queue 

external receive{m) 
precondition 

3m. {m, u) is first element of queue 
effect 

remove first element of queue 



Trajectories T : satisfies 

constant (queue) 
d{now) = 1 
stops when 

3{m,,u) 6 queue, {now = u) 



Figure 1: Time-bounded channel 

true at a point t in time, then t must be the hmit time of the trajectory. When there is 
no stopping condition for trajectories we omit the stops when clause. We write d{v) = e 
for d{v) = e, d{v) < e for d{v) < e and e < d{v) for e < d{v). If the value of a variable is 
constant throughout a trajectory then we write constant (u). If the evolution of a variable 
follows a continuous function throughout a trajectory then we write continuous(f ). 

Example 4.1 (Time-bounded channel) The automaton in Figure 2 is the specifica- 
tion of a reliable FIFO channel that delivers its messages within a certain time bound, 
represented by the automaton parameter b of type R"*" . The other automaton parameter 
M is an arbitrary type parameter that represents the type of messages communicated by 
the channel. 

The discrete variable queue is used to hold pairs consisting of a message that has been 
sent and its delivery deadline. The analog variable now is used to describe real time. 

Every send{m) transition adds to the queue a new pair whose first component is m 
and whose second component is the deadline now + b. A receive{m) transition can occur 
only when m is the first message in the queue and it results in the removal of the first 
message from the queue. 
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automaton TimedChannel (b : Real, M) 
signature 

external send(m), receive(m) "where m G M 
states 

queue: Queue [M] := {} 
now : Real : = 
initially b > 
transitions 

external send(m) 
eff 

queue:= append ( (m , now+b ), queue ) 
external receive(m) 
pre 

\exists u (m,u) = head(queue) 
eff 

queue := tail(queue) 
trajectories 

stop when \exists (m,u) G queue (now = u) 
evolve 
rl("Tiow')=1 

Figure 2: Time-bounded channel 

The trajectory specification shows that the discrete variable queue is kept constant 
by trajectories and that the variable now increases with rate 1, that is, at the same rate 
as real time. The stopping condition implies that, within a trajectory, time cannot pass 
beyond the point where now becomes equal to the delivery deadline of some message in 
the queue. 



Example 4.2 (Periodic sending process) The automaton in Figure 3 is the speci- 
fication of a process that sends messages periodically, every u time units, where u is an 
automaton parameter of type R-°. The type parameter M represents the type of the 
messages sent by the process. 

The analog variable clock is a timer whose value records the amount of time that has 
elapsed since it was last reset to 0. A send{m) transition can occur only when clock = u, 
and it causes clock to be reset. The trajectory specification says that clock increases at 
the same rate as real time and time cannot pass beyond the point where clock = u. 



Example 4.3 (Periodic sending process with failures) The specification of the 
PeriodicSend{u, M) process from Example 4.2 does not model failures. We now consider 
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Automaton PeriodicSend{u,M) "where u £ R-° 

Variables X : analog dock G R initially 

States Q : val{X) 

Actions A : external send{m) where m € M 

Transitions V : external send{m) 
precondition 

clock = u 
effect 

clock := 

Trajectories T : satisfies 

diclock) = 1 
stops when 

clock = u 



Figure 3: Periodic sending process 

a variant of PeriodicSend{u, M) where the process may fail and stop doing any discrete 
actions. The specification of this new automaton is given in Figure 4. 

The discrete variable failed in automaton PeriodicSend2 is a boolean flag that records 
whether the process is failed. It is initialized to false and is set to true when a fail 
action occurs. The trajectory specification of PeriodicSend2 shows that time can advance 
without any bound when the process is failed. 



Example 4.4 (Timeout process) The automaton Timeout{u, M) in Figure 5 is the 
specification of a process that awaits the receipt of a message from another process. If 
u time units elapse without such a message arriving, Timeout{u,M) performs a timeout 
action, thereby "suspecting" the other process. When a message arrives it "unsuspects" 
the other process. Timeout{u, M) may suspect and unsuspect repeatedly. 

The discrete variable suspected is a flag that shows whether Timeout{u, M) suspects 
that the other process is failed. The variable clock is a timer that records the amount of 
time that has elapsed since the receipt of the last message. 

A receive{m) transition can occur at any time; this causes the variable clock to be 
reset and the flag suspected to be set to false. If clock reaches u before the arrival of a 
message then the timeout action becomes enabled. The process sets suspected to true as 
a result of a timeout. 

The discrete variable suspected remains constant throughout each trajectory. The 
trajectory speciflcation also shows that clock increases at the same rate as real time and, 
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Automaton PeriodicSend2{u, M) "where u £ R^ 



Variables X : 

States Q : 

Actions A : 

Transitions V 



Trajectories T : 



discrete failed 6 Bool initially false 
analog clock 6 R initially 

val{X) 

external send{m) where m € M 
external fail 

external send{m) 
precondition 

-^failed 
clock = u 
effect 

clock := 

external fail 
effect 

failed := true 

satisfies 

constant (/ai/ed) 
d{clock) = 1 
stops when 

-I failed and clock = u 



Figure 4: Periodic sending process with failures 

if suspected = false, then time cannot go beyond the point where clock = u. Note that if 
suspected = true, there is no restriction on the amount of time that can elapse. 



Example 4.5 (Fischer's mutual exclusion algorithm) The automaton presented in 
Figures 6 and 7 is the specification of a shared memory mutual exclusion algorithm which 
uses a single shared variable that can be read and written by all the participants. The 
automaton parameters Uset and Icheck represent upper and lower time bounds for the seti 
and checki actions respectively. We assume that Uset < icheck- The parameter I represents 
the set of indices of processes that participate in the algorithm and is required to be finite. 

The shared variable x can be assigned any value in I or the special value _L. If a 
process is in the critical region, then the variable x contains the index of that process. If 
all users are in the remainder region, then the variable x contains the value _L. The array 
variable pc records the program counters of all processes. The array variable lastset keeps 
track of the deadlines by which the processes' set actions must occur. Similarly, the array 
variable firstcheck keeps track of the earliest time the processes' check actions may occur. 
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Automaton Timeout{u,M) where m 6 R"*" 
Variables X : 



States Q : 

Actions A : 

Transitions V 



Trajectories T : 



discrete suspected 6 Bool initially false 
analog clock 6 R initially 

val{X) 

external receive{m) where m € M 
external timeout 

external receive{m) 
effect 

clock := 
suspected := false 

external timeout 
precondition 

-I suspected 
clock = u 
effect 

suspected := true 

satisfies 

const ant (sMspected) 
d{clock) = 1 
stops w^hen 

clock = u and -> suspected 



Figure 5: Timeout 

The analog variable now models real time. 

The transition definitions for external actions tryi, testi, criti, exiti are straightforward. 
When a process performs one of these actions, its program counter is updated to record 
the region entered by the process. The most interesting transition definitions are testi, seti 
and checki since they are the ones that involve timing constraints of the algorithm. When 
a process i performs a test action and observes a; to be _L, it sets lastset[i] to now + Uset- 
This sets the deadline for the performance of the seti action. Note that this deadline is 
enforced through the stopping condition in the trajectory specification. The transition 
seti sets firstcheck[i] to now + lcheck- The value oi firstcheck[i] determines the earliest 
time checki ™ay occur. The checki action is enabled only when the current time has at 
least this value. 

The trajectory specification says that the values of discrete variables are kept constant 
by trajectories. The stopping condition implies that if the value of now reaches the value 
of lastset[i] for some process i at some point in time, then that point must be the limit 
time of the trajectory. 
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Type PcValue = enumeration of rem, test, set, check, leavetry,crit,leaveexit 

Automaton Fischer M E{uset,lcheck, I) where Uset € R-°, Icheck € R-°, Uset < hheck 

Variables X : discrete x € I U {-L} initially _L 

discrete pc, an array of elements of PcValue indexed by / 

initially Vi 6 /. pc[i] = rem 
discrete lastset, an array of elements of R U {00} indexed by / 

initially Vi 6 /. lastset[i] = cxs 
discrete firstcheck, an array of elements of type R 

initially Vi 6 I.firstcheck[i] = 
analog now G R initially 

States Q : val{X) 

Actions A : external tryt, criti, exiti, rerrii 

internal testi, seti,checki,reseti where i G J 

Figure 6: Fischer's mutual exclusion algorithm: Variables, states, and actions 

Example 4.6 (Clock synchronization) The automaton in Figure 8 is the specification 
of a single process in a clock synchronization algorithm. Each process has a physical clock 
and generates a logical clock. The goal of the algorithm is to achieve "agreement" and 
"validity" among the logical clock values. Agreement means that the logical clocks are 
close to one another. Validity means that the logical clocks are within the range of the 
physical clocks. 

The algorithm is based on the exchange of physical clock values between different 
processes in the system. The parameter u determines the frequency of sending messages. 
Processes in the system are indexed by the elements of a finite set /. ClockSync{u, p)^ has 
a physical clock physclock, which may drift from the real time with a drift rate bounded 
by p. It uses the variable maxother to keep track of the largest physical clock value of the 
other processes in the system. The variable nextsend records when it is supposed to send 
its physical clock to the other processes. The logical clock, logclock, is defined to be the 
maximum of maxother and physclock. Formally logdock is a derived variable, which is a 
function whose value is defined in terms of the state variables. 

A send{m)i transition is enabled when m = physclock and nextsend = physclock. It 
causes the value of nextsend to be updated so that the next send can occur when physclock 
has advanced by u time units. The transition definition for receive{m)j^i specifies the effect 
of receiving a message from another process j in the system. Upon the receipt of a message 
m from j, i sets maxother to the maximum of m and the current value of maxother, thereby 
updating its knowledge of the largest physical clock value of other processes in the system. 

The trajectory specification is slightly different from that in the previous examples. In 
this example, the analog variable physclock does not change at the same rate as real time 
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Transitions V 



external tryi 
precondition 

pc[i] = rem 
effect 

pc[i] := test 

internal testi 
precondition 

pc[i] = test 
effect 

if a: =-L then 

pc[i] := set 

lastset[i] := now + Uset 

internal seti 
precondition 

pc[i] = set 
effect 

X := i 

pc[i] := check 

lastset[i] := cxs 

firstcheck[i] := now + Icheck 



external criti 
precondition 

pc[i\ = leavetry 
effect 

pc[i\ := crit 

external exiti 
precondition 

pc[i\ = crit 
effect 

pc[i\ := reset 



internal reseti 
precondition 

pc[i] = reset 
effect 

x:=± 

pc[i] := leaveexit 



internal checki 
precondition 

pc[i] = check 
now > firstcheck[i] 
effect 

if X = i then 

pc[i] := leavetry 
else 

pc[i] := test 



external rerrii 
precondition 

pc[i] = leaveexit 
effect 

pc[i] := rem 



Trajectories T : 



satisfies 

constant (a:) 
constant (pc) 

constant (/asisei) 
constant (firstcheck) 
d{now) = 1 
stops when 

3i € /. now = lastset[i] 



Figure 7: Fischer's mutual exclusion algorithm: Transitions and trajectories 
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Automaton ClockSync{u, p)i where u e R+, 0<p<l, JG/ 



Variables X : 

Derived variables: 
States Q : 
Actions A : 
Transitions V : 



Trajectories T : 



analog physclock 6 R initially 
discrete nextsend 6 R initially 
discrete maxother 6 R initially 

logclock = max(maxother, physclock) 

val{X) 

external send{m)i,receive{m)j^i where m €R, j € I, j ^' 

external send{m,)i 
precondition 

m = physclock 
physclock = nextsend 
effect 

nextsend := nextsend + u 

external receive{m)j^i 
effect 

maxother := max(maxother,m) 

satisfies 

constant {nextsend) 

constant {maxother) 

continuous (p/ii/sc/ocfc) 

1 — p < d{physclock) < 1 + p 
stops w^hen 

physclock = nextsend 



Figure 8: Clock synchronization 
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but it drifts with a rate that is bounded by p. The periodic sending of physical clocks to 
other processes is enforced through the stopping condition in the trajectory specification. 
Time is not allowed to pass beyond the point where physclock = nextsend. 



4.2 Executions and Traces 

We now define execution fragments, executions, trace fragments, and traces, which are 
used to describe automaton behavior. An execution fragment of a timed automaton A is 
an [A, y)-sequence a = tq ai ri a2 T2 ■ ■ ., where (1) each tj is a trajectory in T, and (2) 
if Tj is not the last trajectory in a then Ti.lstate ^ Ti+i.fstate. An execution fragment 
records what happens during a particular run of a system, including all the instantaneous, 
discrete state changes and all the changes to the state that occur while time advances. We 
write frags j^^ for the set of all execution fragments of A. 

If a is an execution fragment, with notation as above, then we define the first state of 
a, a.f state, to be a.fval. An execution fragment of a timed automaton A from a state x 
of A is an execution fragment of A whose first state is x. We write frags j^^{x) for the set of 
execution fragments of A from x. An execution fragment a is defined to be an execution if 
a.fstate is a start state, that is, a.fstate G ©. We write execs_^ for the set of all executions 
of A. If q; is a closed [A, y)-sequence then we define the last state of a, a.lstate, to be 
a.lval. 

If a is an execution fragment, then /3 is a suffix of a provided that there exists a' such 
that a' ^ (3 = a and a' .Istate = p.fstate. 

A state of A is reachable if it is the last state of some closed execution of .4. A property 
that is true for all reachable states of an automaton is called an invariant assertion, or 
invariant, for short. 

Lemma 4.7 Let a^ai ... he a finite or infinite sequence of execution fragments of A such 
that, for each nonfinal index i, ai is closed and ai. Istate = a-i^i-fstate. Then ao^ ai^ ■ ■ ■ 
is an execution fragment of A. 

Proof: Follows easily from the definitions, using axiom T3. ■ 



Lemma 4.8 Let a and (3 be execution fragments of A with a closed. Then 

a < (3 <^ 3a' G frags^^^ : 13 = a^' a' . 
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Proof: Implication "<^" follows directly from the corresponding implication in Lemma 3.7. 
Implication "^" follows from the definitions and T2. ■ 

The external behavior of a timed automaton is captured by the set of "traces" of 
its execution fragments, which record external actions and the trajectories that describe 
the intervening passage of time. A trace consists of alternating external actions and 
trajectories over the empty set of variables, 0; the only interesting information contained 
in these trajectories is the amount of time that elapses. 

Formally, if a is an execution fragment, then the trace of a, denoted by trace{a), is 
the (£■, 0)-restriction of a, a [(£',0). A trace fragment of a timed automaton A from a 
state X of ^ is the trace of an execution fragment of A whose first state is x. We write 
tracefrags j^^{x) for the set of trace fragments of A from x. Also, we define a trace of A to 
be a trace fragment from a start state, that is, the trace of an execution of A, and write 
traces_^ for the set of traces of A. 

In the earlier timed automaton models [25, 36], execution fragments were defined in a 
similar style to the one presented here, that is, as an alternating sequence of trajectories 
and actions. However, the traces were not derived from execution fragments by a simple 
restriction to external actions and the empty set of variables. Rather, a trace was defined 
as a sequence consisting of actions paired with their time of occurrence together with 
a limit time. The new definition increases uniformity; the definitions, results and proof 
techniques for hybrid sequences apply to both execution fragments and traces. 

We now revisit some of the automata presented earlier in this section and give sample 
executions and traces for these automata. 

Example 4.9 (Periodic sending process) Consider the automaton PeriodicSend{u, M) 
from Example 4.2 where u is instantiated to the real number 3 and the message type pa- 
rameter M is instantiated to the set {m^ , mg . . .}. The following sequence is an execution 
of the automaton: 

a = tq send{mi) ri send{m,2) T2 send{m,3) T3 . . . 

where tj : [0,3] — )■ val{{clock}) are defined such that Ti{t){clock) = t for all t G [0,3]. 

The functions tj are defined for closed intervals of length 3, starting at time 0. They 
describe the evolution of the variable clock, which is at the start of each tj and increases 
with rate 1 for 3 time units. The discrete send events occur periodically, every 3 time 
units and reset the clock variable to 0. 

The trace of the above execution fragment, trace{a), is the sequence 
Tq send{mi) t[ send{m2) T'2 send{ms) T3 . . . 
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where T^ : [0,3] -^ val{<l}). 

Since the range of each function r^' contains only the function with the empty domain, 
trace{a) does not contain any information about what happens to the value of clock as 
time progresses. Since the domains of each tj and r^' are identical, a and trace{a') express 
the same information about the amount of time that elapses between discrete steps. ■ 

Example 4.10 (Timeout process) We now present an execution of the automaton 
Timeout (u, M) from Example 4.4 where the the maximum waiting time u for a message 
is 5 and the message alphabet M is the set {mi,m2}. The following finite sequence is an 
execution of Timeout{u, M): 



'/lve{mi) Ti timeout T2 receive{m,2) T3 timeout T4 



a = To rece 

where Val = val {{suspected, clock}) and the functions tq, n, T2, T3, T4 are defined as follows: 

To : [0,2] -^ Val where To{t){suspected) = false and To{t){clock) = t for all t € [0,2]. 

Ti : [0,5] -^ Val where Ti{t) (suspected) = false and Ti{t){dock) = t for all t € [0,5]. 

T2 : [0, 1] -^ Val where T2{t) (suspected) = true and T2{t){clock) = 5 + i for alH € [0, 1]. 

Ts : [0,5] -^ Val where Tz{t){suspected) = false and Tz{t){clock) = t for all t € [0,5]. 

T4 : [0, 00) -^ Val where T4,(t) {suspected) = true and T4,{t){clock) = 5 + i for alH € [0, 00). 

In this sample execution, the first awaited message arrives at time 2. Since no other 
message arrives within the next 5 time units, the process performs a timeout. A new 
message arrives 1 time unit after the timeout and the variable clock is reset to 0. Since no 
new message arrives in the next 5 time units the process performs another timeout. The 
time elapses forever after this timeout since no further message arrives. 

This example illustrates that the automaton Timeout {u, M) can perform multiple 
timeout transitions. Another point to note is that the sample execution consists of a 
finite {A, F)-sequence ending with a trajectory, as opposed to an infinite sequence as in 
Example 4.9 . The final trajectory here is a trajectory whose domain is right open and the 
execution is admissible and non-Zeno. Replacing T4 with a function on a closed interval 
would yield a non-Zeno execution that is not admissible. 

The trace of the execution a can be obtained by letting the range of tj be the set 
consisting of the function with the empty domain, as we did in the previous example. That 
is, by hiding the values of the internal variables clock and suspected during trajectories. 



Example 4.11 (Time-bounded channel) Consider the time-bounded channel automa- 
ton from Example 4.1. It is easy to observe that time cannot pass beyond any delivery 
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deadline recorded in the message queue and that each deadUne in the queue is less than 
or equal to the sum of the current time and the bound b. This property can be stated as 
an invariant assertion as follows. 

Invariant 1 : In any reachable state x of automaton TimedChannel{b, M) , for all 
{m^u) in x{queue), x{now) < u < x{now) + b. 

Such an invariant can be proved by induction. Recall that reachable states are the 
final states of closed executions. Axioms Tl and T2 allow us to view any closed execution 
as a concatenation of closed execution fragments, ao ^ ai ^ ■■■Oik-, where every a-i is 
either a closed trajectory or a discrete action surrounded by point trajectories, and where 
ai-lstate = ai+i.fstate for < i < k — 1. The invariant can then be proved using induction 
on the length k of the sequence of execution fragments ckj. ■ 

Example 4.12 (Fischer's mutual exclusion) The main safety property that needs to 
be satisfied by the automaton FischerME from Example 4.5 is mutual exclusion. This 
safety property can be expressed as an invariant assertion: 

Invariant 1 : In any reachable state x of Fischer ME{uset-,lcheck-, I) ^ there do not 
exist i & I and j E I such that x{pc)[i] = crit and x{pc)[j] = crit. 

Even though the invariant does not refer to time, its proof depends on the timing 
constraints of the automaton. For example, the following auxiliary invariant can be used 
in proving Invariant 4.12: 

Invariant 2 : In any reachable state x of FischerME{uset-,lcheck-,I), if pc[l] = check, 
X = i, and pc[j] = set, then firstcheck[i] > lastset[j]. 

This invariant states that if the program counter of process i has the value check, the 
program counter of process j has the value set, and the variable x has the value i, then 
i will allow enough time for j to set x to j, before performing the check. If this timing 
constraint were not satisfied, it would be possible for i to check that x = i before j sets 
X to j. Both of the processes would then observe x to contain their own index and enter 
the critical region. ■ 



Lemma 4.13 If a is an execution of A then 

1. a is time-bounded if and only if trace (a) is time-bounded. 

2. a is admissible if and only if trace{a) is admissible. 

3. If a is closed then trace{a) is closed. 

4. If a is non-Zeno then trace{a) is non-Zeno. 
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Proof: It follows directly from the restriction of (A,V)-sequences. 



Lemma 4.14 If (3 is a trace of A then 

1. If (3 is closed then there exists an execution a of A such that trace{a) = j3 and a is 
closed. 

2. If 13 is non-Zeno then there exists an execution a of A such that trace{a) = P and 
a is non-Zeno. 

Proof: For the first part of the theorem, let (3 = trace{a) be a closed trace of A. By 
definition of a trace, we know that p.ltime = a.ltime. We also know that a is either closed 
or has a suffix which is an infinite sequence of alternating point trajectories and actions. 
Now, let a' be the least closed prefix of a such that a' .Itime = p.ltime. Clearly, a' is a 
closed execution of A. 

For the second part of the theorem, observe that a non-Zeno trace is either closed or 
admissible. Let (3 = trace{a). For the case where (3 is closed, we have already shown how 
we can find a closed execution. For the case where (3 = trace{a) is admissible, we know 
that a.ltime = oo. Hence, a is admissible, as needed. ■ 

Example 4.15 (Constructing a closed execution from a closed trace) Consider 
the Zeno hybrid sequence a = p(v) a p(v) a p(v) . . . given in Example 3.12. Suppose that 
a is an execution of ^ and that a is an internal action of ^. Then, trace{a) = p(v') where 
p(v') is a trajectory over the empty set of variables. However, the fact that trace{a) is 
closed does not imply that a is closed. Thus, we see why we have a one way implication 
in item 3 of Lemma 4.13. On the other hand, we can construct a closed execution of A 
with trace p(v') as explained in the proof of Lemma 4.14. The execution consisting of the 
point trajectory p(v') is a closed execution of A with trace p(v'). ■ 



4.3 Special Kinds of Timed Automata 

This section describes several restricted forms of timed automata. In Section 4.3.1 we give 
definitions that are needed for theorems later in the paper. In Section 4.3.2 we formulate 
the timed automata of Alur and Dill [4, 6] as a special case of our timed automata. 

4.3.1 Basic constraints 

Timed Automata Avith Finite Internal Nondeterminism: We are sometimes in- 
terested in bounding the amount of internal nondeterminism in a timed automaton. Thus, 
we say that a timed automaton A has finite internal nondeterminism (FIN) provided that: 
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1. The set © of start states is finite, and 

2. For every state x of ^ and every trace fragment (3 oi A from x, the set {a.lstate \ 

a G frags j^{x.) A trace{a) = (3} is finite. 

Example 4.16 (Automata with FIN) The automata TimedChannel{u, M) , 
PeriodicSend{u,M), PeriodicSend2{u, M) and Timeout{u,M) given in Section 4.1 all 
have FIN. The first property of the definition of FIN is satisfied since each of these au- 
tomata has a unique start state. The second property follows from the fact that in each 
automaton, for every state x and every trace fragment /3 from x, there is a unique execution 
fragment a such that irace{a) = (3. ■ 

Example 4.17 (Automata without FIN) We now show that FischerME{uset, Icheck, I) 

and ClockSync{a, p)i do not have FIN. For each automaton, we specify a trace, describe 
the set of all executions that have the specified trace, and argue that the second property 
in the definition of FIN fails for the chosen trace. 

Let X be the start state of FischerM E{uset-, Icheck-, I) and (3 = tq tryi ri be a trace of 
the same automaton where the domains of the functions tq and ri are, respectively, the 
single point interval [0, 0] and the interval [0, u], and the range of both functions is the set 
consisting of the function with the empty domain. For any execution a, trace{a) = (3, if 
and only if a.ltime = u, tryi occurs at time 0, and all the actions in a that occur after tryi 
are internal actions. There are infinitely many different times that the internal actions 
may occur, and infinitely many values lastcheck and firstcheck could have, by the time 
u. Therefore, the set {a.lstate \ a G frags^{-x) A trace{a) = tq tryi ^i} is not finite and 
FischerM E{uset-,lcheck-, I) does not have FIN. 

Now, let X be the start state of ClockSync{a, p)i where x{physclock) = x{nextsend) = 
x(maxother) = and (3 = tq send{0) ri be a trace of ClockSync{a, p)i where the domains 
of functions tq and ri are, respectively, the interval [0,0] and the interval [0, w], and the 
range of both functions is the set consisting of the function with the empty domain. For any 
a in which send(O) occurs at time and is followed by a trajectory r such that r.ltime = u, 
we have trace{a) = (3. For any such a, a.lstate{physclock) can be any value in the interval 
[u{l — p),u{l+p)\. Therefore, the set {a.lstate \ a G frags ^^^{x) A trace (a) = tq send{0) ri} 
is not finite and ClockSync{a, p)i does not have FIN. 



The following lemma states that if a timed automaton has FIN, then its set of traces 
is limit-closed. 

Lemma 4.18 Suppose that timed automaton A has FIN and x G Q. Suppose that 
(3i (32 ■ ■ ■ is a chain of trace fragments of A from x. Then the hybrid sequence linij /3j 
is a trace fragment of A from x. 
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Proof: This is analogous to the proof of Lemma 4.3 of [25]. Suppose that ^ is a timed 
automaton that has FIN, x is a state of A, and /3i /32 • • • is a chain of trace fragments of 
A from X. We define a relation after between trace fragments from x and states of A: 

after = {(/3,y) | 3a G fragSj^^{x). trace{a) = (3 A a.lstate = y}. 

We construct a directed graph G whose nodes are pairs (/3i,y) G after where (3i is 
an element of the given chain. In G, there is an edge from (/3i,y) to {fii+i,y') exactly if 
/3i_l_i = Pi^ ^ such that 7 = trace{a) for some a G frags j^^{y), and a.lstate = y' ■ By the 
definition of property FIN, there are finitely many roots of G. By the definition of FIN 
and the construction of G, each node of G has finite outdegree. 

We claim that each node (/3i,y) of G is reachable from some root (/Si,z) for some z. 
By definition of the node set, there exists a G frags j^{x) such that trace{a) = (3i and 
a.lstate = y. Choose a' G frags j^{x) to be a prefix of a such that trace{a') = (3i and let 
z = a'.lstate. By definition of the edge set of G, (A, y) is reachable from (/3i, z). 

Hence, G satisfies the hypotheses of Lemma 2.3, which implies that there is an infinite 
execution fragment starting from x whose trace is limj/3j. Lemma 2.3 is an extension of 
Konig's lemma. ■ 

There are two references to automata with FIN later in the paper. The first one is in 
Theorem 4.20, which lists some sufficient conditions for establishing an implementation 
relationship between two automata. The second reference appears in the discussion about 
the kinds of automata that satisfy the assumptions of Theorem 8.7. 

Feasible Timed Automata: A timed automaton A is frasible provided that, for every 
state X of A, there exists an admissible execution fragment of A from x. 

Feasibility is a basic requirement that any "reasonable" timed automaton should sat- 
isfy. Theorems 4.20, 6.11 and 7.2 establish some results about feasible automata. 

Timing-Independent Timed Automata: A timed automaton A is said to be timing- 
independent provided that all its state variables are discrete variables, and its set of tra- 
jectories is exactly the set of constant-valued functions over left-closed time intervals with 
left endpoint 0. 

We refer to timing-independent automata later in Example 6.5 and in our discussion 
about Corollary 8.8. 

4.3.2 Alur-Dill Automata 

The timed automaton framework of Alur and Dill [4, 6] is widely used in the formal 
modeling and verification of timed systems. An Alur-Dill timed automaton is a finite 
directed multigraph augmented with a finite set of clock variables. The nodes and edges 
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of this multigraph are called locations and switches, respectively. Locations are generally 
used to represent different modes of operation of the automaton, whereas the clocks are 
used in expressing timing constraints. Each switch has an associated clock constraint, 
which is a predicate on clock valuations that constrains when the switch may be taken. 
The semantics of such a timed automaton are defined as a state transition system in which 
each state consists of a location and a clock valuation. A transition between states occurs 
as a result of a switch or time passage. 

Alur and Dill restrict the form of clock constraints in order to make the reachability 
problem (the problem of determining whether some target location is reachable) decidable: 
a clock constraint can be either a simple constraint comparing a clock variable to a rational 
constant, or a conjunction of simple constraints. 

In this section, we define a version of the Alur-Dill timed automaton model as a 
special case of our TA model. Our formulation relaxes the restrictions on the form of 
clock constraints. 

We assume that T = R and define an Alur-Dill (AD) timed automaton as a TA 
A = {X, Q, ©, E, H, V, T) that satisfies the following conditions: 

1. X is partitioned into two sets X^ and Xc where X^ is a set of discrete variables and 
Xc is a set of analog variables. We call the variables in Xc clock variables. 

2. If X G ©, then for every x G X^., :x.{x) = 0. 

3. If (x, a, x') G V, then for every x G Xc, either x.'{x) = or x.'{x) = x.{x). 

4. Each trajectory t & T satisfies the following conditions: 

(a) For every x G X^i, x is constant in r. 

(b) For every x E Xc, d{x) = 1. 

Thus, in an AD timed automaton, the set of internal variables consists of discrete 
variables, which together represent the locations, and analog variables, which correspond 
to the clocks. In the initial states, all the clocks have value 0. A discrete transition either 
resets a clock or leaves it unchanged. The evolution of variables during a time interval 
is described by trajectories. In an AD automaton, the discrete variables are constant 
throughout a trajectory and clocks increase at the same rate as real time. 

Example 4.19 (An AD automaton) We revisit a timed automaton example from [4]. 
We first present the timed automaton using the original graphical notation of Alur and 
Dill, as in [4], and then redefine it as an AD timed automaton, using the notational 
conventions we have been using in our other examples. 

In the following multigraph, each switch is annotated with a symbol from a specified 
alphabet of labels, a constraint involving clock variables, and a statement that shows which 
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clocks are reset to as a result of a location switch. Note that some switches have no 
reset statements, meaning that the switch has no effect on the clock variables. 

The multigraph has four locations, so,si,S2, and S3, and two clocks, x and y. A 
location switch, represented by an arrow annotated with a label a, 6, c, or d, can be 
performed only when the constraint on the same arrow is satisfied. For example, the 
automaton can change its location from S3 to si, following the switch labeled with a, 
when the clock variable y has a value smaller than 1. The clock variable y is reset as an 
effect of this location switch. 




d.x > 1 



a,y <l,y 



Figure 9 includes the expression of this multigraph as an AD automaton using our no- 
tational conventions. In the automaton AD, the discrete variable loc keeps track of the 
current location in the multigraph and the analog variables x and y represent the clocks. 
The actions of AD correspond to the labels in the original multigraph. Preconditions in 
transition definitions are used to express clock constraints associated with switches. Ef- 
fects clauses in transition definitions are used to describe location changes and resetting 
of clocks. The trajectory specification describes the effect of time passage on the location 
and the clocks. 



It is easy to check that the automaton AD, given in Figure 9, is an AD automaton. 
It satisfies the four conditions required to be classified as an AD automaton: (1) the set 
of internal variables X can be partitioned into two sets X^, and Xc where X^, = {loc} 
and Xc = {x,y}. (2) The clock variables x and y are initially 0. (3) The transition 
definitions either reset a clock or leave it unchanged. (4) The discrete variable loc is 
constant throughout trajectories while x and y increase at rate 1. 

4.4 Implementation Relationships 

Timed automata Ai and A2 are comparable if they have the same external interface, 
that is, if El = £'2. If Ai and A2 are comparable then we say that Ai implements A2, 
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Automaton AD 
Variables X : 

States Q : 
Actions A : 
Transitions V : 



Trajectories T : 



discrete loc 6 {so, si, 82,83} initially so 
analog a; G R initially 
analog y G R initially 

val{X) 

external a, b, c, d 

external a 
precondition 

(loc = So and a: > 0) or (loc = S3 and y <\) 
effect 

loc := Si 
y:=G 

external b 
precondition 

loc = si and y = 1 
effect 

loc := S2 

external c 
precondition 

(loc = si and a: < 1) or (loc = S2 and x < 1) 
effect 

loc := S3 

external d 
precondition 

loc = S3 and x > 1 

satisfies 

constant(/oc) 
d(x) = 1 
d(y) = 1 



Figure 9: An AD automaton 
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denoted by Ai < A2, if the traces of Ai are included among those of A2, that is, if 
traces j{^ C traces j^^-^ 

Other preorders between timed automata could also be used as implementation rela- 
tionships, for example, if Ai and A2 are comparable timed automata, we could consider: 

• Every closed trace of Ai is a trace of A2- 

• Every admissible trace of Ai is a trace of A2- 

• Every non-Zeno trace of Ai is a trace of A2- 

Theorem 4.20 Let Ai and A2 be comparable TAs. 

1. If every closed trace of Ai is a trace of A2 and A2 has FIN, then Ai < A2- 

2. If every admissible trace of Ai is a trace of A2 and Ai is feasible, then every closed 
trace of Ai is a trace of A2- 

3. If every admissible trace of Ai is a trace of A2, Ai is feasible, and A2 has FIN, then 
Ai < A2- 

Proof: Part 1 follows from Lemma 4.18. 

For Part 2, consider a closed trace (3 of ^1. By feasibility of Ai, we may extend (3 
to an admissible trace /3' of Ai- Then by assumption, /3' is also a trace of A2- By prefix 
closure of the set of traces, /3 is a trace of A2- 

Part 3 follows from Parts 1 and 2. ■ 

4.5 Simulation Relations 

In this section, we define simulation relations between timed automata. Simulation rela- 
tions may be used to show that one TA implements another, in the sense of inclusion of sets 
of traces. We define two types of simulation relations: forward and backward simulations. 

Forward simulations are more commonly used than backward simulations because they 
are easier to think about and are general enough to cover most interesting situations that 
arise in practice. Backward simulations are sometimes necessary, in particular, when non- 
deterministic choices are resolved earlier in the specification than in the implementation. 
In proving implementation relations, we prefer to use forward simulation relations when- 
ever they exist, since backward simulations are harder to think about. 



^In [25, 14, 23, 24], definitions of the set of traces of an automaton and of one automaton implementing 
another are based on closed and admissible executions only. The results we obtain in this paper using 
the newer, more inclusive definition imply corresponding results for the earlier definition. For example, 
we have the following property: If ^1 < A2 then the set of traces that arise from closed or admissible 
executions of Ai is a subset of the set of traces that arise from closed or admissible executions of A2 ■ This 
follows from Lemmas 4.13 and 4.14. 
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4.5.1 Forward Simulations 

Let A and B be comparable TAs. A forward simulation from ^ to B is a relation R 
C Q_4 X Qis satisfying the following conditions, for all states x^ and xg of A and B, 
respectively: 

1. If x^ G ©^ then there exists a state xg G ©g such that x^ R xg. 

2. If x^ R xg and a is an execution fragment of A consisting of one action surrounded 
by two point trajectories, with a.fstate = x^, then B has a closed execution fragment 
(3 with p.fstate = xg, trace{(3) = trace{a), and a.lstate R p.lstate. 

3. If x^ R xg and a is an execution fragment of A consisting of a single closed 
trajectory, with a.fstate = x^, then B has a closed execution fragment (3 with 
p.fstate = xg, trace{p) = trace{a), and a.lstate R p.lstate. 

Forward simulation relations induce a preorder between timed automata. 

Theorem 4.21 Let A,B and C be comparable TAs. If Ri is a forward simulation from 
A to B and R2 is a forward simulation from B to C, then R2 o Ri is a forward simulation 
from A to C. 

The definition of a forward simulation from A to B yields a correspondence for open 
trajectories of A: 

Lemma 4.22 Let A and B be comparable TAs and let R be a forward simulation from A 
to B. Let x^ and xg be states of A and B, respectively, such that x^ R xg. Let a be an 
execution fragment of A from state x^ consisting of a single open trajectory. Then B has 
an execution fragment (3 with p.fstate = xg and trace{fi) = trace{a). 

Proof: Let r be the single open trajectory in a. Using axioms Tl and T2, we construct 
an infinite sequence tq n ... of closed trajectories of A such that r = tq ^ n ^ • • •. Then, 
working recursively, we construct a sequence /3o /3i • • • of closed execution fragments of 
B such that Po.fstate = xg and, for each «, Ti.lstate R Pi.lstate, Pi.lstate = (3i+i .f state , 
and trace{Ti) = trace{(3i). This construction uses induction on «, using Property 3 of the 
definition of a forward simulation in the induction step. Now let /3 = /3o ^ A ^ • • •• By 
Lemma 4.7, (3 is an execution fragment of B. Clearly, (3.fstate = xg. By Lemma 3.9 
applied to both a and (3, trace{f3) = trace{a). Thus /3 has the required properties. ■ 



Theorem 4.23 Let A and B be comparable TAs and let R be a forward simulation from 
A to B. Let x^ and xg be states of A and B, respectively, such that x^ R xg. Then 
tracefrags j^^{x^) C tracefrags ^{'x.b) ■ 
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Proof: Suppose that 5 is the trace of an execution fragment of A that starts from 
x_4; we prove that 5 is also a trace of an execution fragment of B that starts from xg. 
Let a = To ai Ti a2 T2 ■ ■ ■ be an execution fragment of A such that a.fstate = x^ and 
5 = trace{a). We consider cases: 

1. q; is an infinite sequence. 

Using axioms Tl and T2, we can write a as an infinite concatenation a^'^ a\~" a^ ■ ■ •, 
in which the execution fragments Ofj with % even consist of a trajectory only, and the 
execution fragments Ofj with i odd consist of a single discrete step surrounded by 
two point trajectories. 

We define inductively a sequence /3o /3i • • • of closed execution fragments of B, such 
that Pq. f state = xg and, for all «, Pi.lstate = Pi+i.f state, ai.lstate R Pi.lstate, and 
trace{(3i) = trace{ai). We use Property 3 of the definition of a simulation for the 
construction of the /3i's with i even, and Property 2 for the construction of the /3i's 
with i odd. Let P = Po'^ Pi '^ P2- • •■ By Lemma 4.7, (3 is an execution fragment 
of B. Clearly, p.fstate = xg. By Lemma 3.9, trace{fi) = trace{a). Thus (3 has the 
required properties. 

2. q; is a finite sequence ending with a closed trajectory. 
Similar to the first case. 

3. q; is a finite sequence ending with an open trajectory. 

Similar to the first case, using Lemma 4.22. ■ 

Corollary 4.24 Let A and B be comparable TAs and let R be a forward simulation from 
A to B. Then traces yi C traces^- 

Proof: Suppose P G traces j,. Then j3 G tracefrags ^{'x.X) for some start state x^ of A. 
Property 1 of the definition of simulation implies the existence of a start state xg of B 
such that x^ R xg. Then Theorem 4.23 implies that /3 G tracefrags ^{'x.js) ■ Since xg is a 
start state of B, this implies that /3 G traces^, as needed. ■ 

Example 4.25 (Time-bounded channels) Consider two instances of the specification 
in Figure 2, TimedChannel{hi, M) and TimedChannel{h2-,M) where hi < 62- We define 
a forward simulation R from TimedChannel{hi,M) to TimedChannel{h2-, M) below. If x 
is a state oiTimedChannel{hi, M) and y is a state oi TimedChannel{h2-, M), then x i? y 
provided that the following conditions are satisfied: 

1. x(now) = y(now). 

2. \-x.{queue)\ = \y{queue)\. 

43 



3. V«. 1 < 'i < \x{queue)\, if x{que,ue){i) = {m,ui) then y{queue){i) = {m,U2) and 

Ui < U2- 

We can prove that i? is a forward simulation from the automaton TimedChannel{hi, M) 
to the automaton TimedChannel{h2-,M) by showing that R satisfies each of the three 
properties in the definition of a forward simulation relation. In each automaton there is 
a unique initial state that maps the variable now to and queue to the empty sequence. 
It is obvious that the initial states, which are identical, are related by R and so the first 
property is satisfied. 

For the rest of the proof, we let x and y be, respectively, states oiTimedChannel{hi, M) 
and TimedChannel{b2, M) such that x Ry. In order to show that the second property is 
satisfied, we need to consider two cases, one for each discrete action that may be performed 
by TimedChannel{hi, M). 

li TimedChannel{hi, M) performs a send{m) action, and the state changes from x to 
x' then we need to find an execution fragment /3 of TimedChannel{h2-, M) from y ending 
in y', such that x' R y' and trace{(3) is the same as the trace of p(x) send{m) p(y). The 
execution fragment /3 = p(y) send{m) p(y') satisfies the required conditions. This follows 
from the hypothesis that x R y and the definition of R, using the fact that the effect 
of a send{m) action oi TimedChannel{hi,M), TimedChannel{h2-,M) are, respectively, 
adding the entry (m, now +6i) to x.{queue), and (m, now + 62) to y {queue) where 61 < 62- 

If TimedChannel{bi,M) performs a receive{m) action, and the state changes from 
X to x' then we need to show that receive{m) is also enabled in y and that there is an 
execution fragment with the required properties that ends in a state y' such that x' Ry' . 
In order to show that receive{m) is enabled in y, we use the hypothesis that x i? y, which 
implies that the first element of y {queue) is of the form {m,u) for some u. The execution 
fragment p(y) receive{m) p(y') of TimedChannel{hi,M) can be shown to satisfy the 
required conditions. 

For the third property, we consider a closed trajectory r of TimedChannel{hi, M) with 
T.fstate = X and show that there exists a closed execution fragment /3 of the automaton 
TimedChannel{h2-,M) with p.fstate = y, trace{(3) = trace{T), and r.lstate = p.lstate . It 
is easy to check that the trajectory r' of TimedChannel{b2, M) with t' .f state = y and 
t' .Itime = T.ltime satisfies the required conditions. ■ 

Example 4.26 (Time-bounded channel that keeps all messages) In this example we 
define a variant of TimedChannel{b, M) from Example 4.1 called TimedChannel2{h, M). 
The main difference between TimedChannel{h,M) and TimedChannel2{h,M) is that 
the message queue in TimedChannel2{h,M) is implemented using a finite sequence of 
(message, delivery deadline) pairs queue and a pointer ptr that points to the next element 
that is to be delivered. Hence, the internal variables of TimedChannel2{h,M) consist 
of queue, now and ptr. The variable ptr initially has value 1, which indicates that it 
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Automaton SendVal{u,p)i where u e R+, 0<p<l, iel 



Variables X : 

States Q : 
Actions A : 
Transitions V 



Trajectories T : 



discrete counter G R initially 
analog now 6 R initially 

val{X) 

external send{m,)i,receive{m,)j^i where m € R, j € /, j ^ ; 

external send{m)i 
precondition 

m = counter x u 
counter x m/(1 + p) < now 
effect 

counter := counter + 1 

external receive(m)j^i 

satisfies 

constant (cownier) 
d.{now) = 1 
stops when 

now = counter x m/(1 — p) 



Figure 10: Clock synchronization 

is pointing to the first element in the sequence. A send{m) action causes messages and 
deadlines to be added to the sequence as in TimedChannel{h,M). A receive{m) causes 
ptr to be incremented to make it point to the next element in the sequence instead of 
removing the first element. The automaton TimedChannel{h,M) can be viewed as an 
optimized implementation oi TimedChannel2{h,M). 

We define below a forward simulation R from TimedChannel{h,M) to 
TimedChannel2{h,M). If x is a state of TimedChannel{h,M) and y is a state of 
TimedChannel2{h, M), then x i? y provided that the following conditions are satisfied: 

1. x(now) = y(now). 

2. x{queue) = y (queue) (y (ptr) . . . \y{queue)\). 



Example 4.27 (Clock synchronization) In this example, we define a forward simula- 
tion from ClockSync{u, p)i of Figure 8 to an automaton that sends multiples of u. The 
specification of this automaton, which is called SendVal{u,p), is given in Figure 10. We 
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assume that the subscripts representing process indices in both automata are drawn from 
the same finite set /. 

The variable counter keeps track of which multiple oiu is to be sent next, and variable 
now contains the current time. The automaton parameter p is used in the precondition 
of the send and the stopping condition of the trajectory definition, to enforce bounds on 
the times of occurrence of send. 

We now define a forward simulation R from the automaton ClockSync{u, p)i to the 
automaton SendVal{u,p) where u and p are actual parameters. If x is a state of the 
automaton ClockSync{u, p)i and y is a state of SendVal{u,p), then x i? y provided that 
the following conditions are satisfied: 

1. y(now)(l — p) < :x.{physclock) < y(now)(l + p). 

2. y{counter) = x{nextsend)/u. 



4.5.2 Refinements 

Let A and B be comparable TAs. A refinement from ^ to B is a function F C Q^ x Qb) 
satisfying the following conditions, for all states x^ and xg of A and B, respectively: 

1. If x^ € Oa then F(x^) G Ob- 

2. If a is an execution fragment of A consisting of one action surrounded by two point 
trajectories, with a.fstate = x^, then B has a closed execution fragment (3 with 
p.fstate = F(x^), trace{l3) = trace{a), and p.lstate = F{a.lstate). 

3. If q; is an execution fragment of A consisting of a single closed trajectory, with 
a.fstate = x^, then B has a closed execution fragment (3 with p.fstate = F(x^), 
trace{fi) = trace{a), and p.lstate = F{a.lstate). 

Theorem 4.28 Let A and B be two TAs and suppose R C Q^ x Qb- Then R is a 
refinement from A to B if and only if R is a forward simulation from A to B and R is a 

function. 

Theorem 4.29 Let A, B and C be comparable TAs. If Ri is a refinement from A to B 
and R2 is a refinement from B to C, then R2 o -Ri is a refinement from A to C. 

An isomorphism from ^ to B is a refinement F from A to B such that F~^ is a 
refinement from B to A. We say that two automata A and B are isomorphic, if there 
exists an isomorphism from AtoB (or, equivalently from B to A). 
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4.5.3 Backward Simulations 

Let A and B be comparable TAs. A backward simulation from ^ to B is a total relation 
R ^ Qa X Qb satisfying the following conditions, for all states x^ and xg of A and B, 
respectively: 

1. If x^ G ©^ and x^ R xg then xg G ©g. 

2. If x^ i? xg and a is an execution fragment of ^ with a. Mate = x^, consisting of one 
discrete action surrounded by two point trajectories, then B has a closed execution 
fragment (3 with p.lstate = xg, trace{fi) = trace{a), and a.fstate R p.fstate. 

3. If x^ R xg and a is an execution fragment of A with a.lstate = x^, consisting 
of one trajectory, then B has a closed execution fragment (3 with p.lstate = xg, 
trace{fi) = trace{a), and a.fstate R p.fstate. 

Backward simulations induce a preorder between timed automata. 

Theorem 4.30 Let A, B and C be comparable TAs. If Ri is a backward simulation from 
A to B and R2 is a backward simulation B to C, then R2 o -Ri is a backward simulation 
from A to C. 

Theorem 4.31 Let A and B be comparable TAs and let R be a backward simulation from 
A to B. Let x^ and xg be states of A and B, respectively, such that x^ R xg. Let /3 
be the trace of a closed execution fragment of A from y^ with last state x^. Then there 
exists ys such that (3 is also the trace of a closed execution fragment of B from ys with 
last state xg and y^ R ys. 

Proof: Fix some i?, Xyi, x^ and /3 satisfying the conditions in the statement of the 
theorem. Let a G frags ^^^{yX) for some state y^ of A with trace{a) = (3. By using the 
axioms Tl and T2, we can write a as the concatenation of a sequence of closed execution 
fragments, a = ao '^ ai '^ . . . an, where each ai is either a closed trajectory or an action 
surrounded by two point trajectories, and ai.lstate = ai+i.fstate for < i < n. 

By using the definition of a backward simulation, working backwards from q;„, we can 
construct an execution fragment a' = ckq ^ o;'^ ^ . . . a'^ from a state yg of B such that (a) 
a'.lstate = xg, (b) for alH, < « < n, ai.fstate R a[.fstate and trace{a[) = trace{ai), (c) 
for alH, < « < n — 1, a[.lstate = a^j^^.f state . Using Lemma 4.7, we can see that a' is an 
execution fragment of B. By Lemma 3.9, trace{a) = trace{a') as needed. 



Corollary 4.32 Let A and B be comparable TAs and let R be a backward simulation from 
A to B. Then every closed trace of A is a trace of B. 
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Proof: Suppose i? is a backward simulation from A to B and /3 is a closed trace of A. 
Then (3 = trace{a) for some closed execution a of A. Let x^ and y^ be the first and 
last states of a respectively. By the totality of relation R, there exists some state yg of 
B such that y^i R yg. By Theorem 4.31, there exists xg of B such that (3 is the trace of 
a closed execution fragment of B from xg with last state yg and x^ R xg. Property 1 of 
the definition of a backward simulation relation implies that xg is a start state of B. It 
follows that (3 G tracesB, as needed. 



Theorem 4.33 Let A and B be comparable TAs and let R be an image-finite backward 
simulation from A to B. Then traces _^ C traces^- 

Proof: Let (3 G traces^. If /3 is closed then Corollary 4.32 implies that /3 is a trace of B. 
From now on we assume j3 is not closed. 

Let a G execs ^ with trace{a) = (3. Note that any such a is either an infinite sequence 
To ai Ti . . . or a finite sequence tq ai n ... Tn where the final trajectory Tn is right open. In 
either case, using the axioms Tl and T2, we can construct an infinite sequence aoai ... 
of closed execution fragments such that a = ao'^ ai'^ . . . where ao is a point trajectory, 
each Qfj is either a closed trajectory or an action surrounded by two point trajectories, and 
ai-lstate = a-i^i-fstate for each i, < i. 

We construct a directed graph G whose nodes are pairs (x, i) consisting of a state of 
B and an index such that {ai.lstate,x) G-R. In G, there is an edge from (x,«) to (x',j) 
exactly if j = i + 1 and there is an a' G frags ]g{x) with trace{a') = trace{ai+i) such 
that a'.lstate = x'. Since R is image- finite there are finitely many roots of G. By image- 
finiteness of R and the definition of the edge set, each node has finite outdegree. By using 
the definition of a backward simulation and the edge set of G, we can show that each node 
(x, i) is reachable from some root node (z, 0) for some start state z of B. 

The directed graph G satisfies the hypotheses of Lemma 2.3, which implies that there 
is an infinite path in G starting from a root. An edge from a node (x,«) to (x', « + 1) 
along this infinite path corresponds to a closed execution fragment 7i_|_i of B for i, < i 
such that ^i+i.fstate = x, ^i^i.lstate = x' and trace{'yi+i) = trace{ai+i). By Lemma 4.7, 
7 = 7i'~~72'~~. . . is an execution of B and by Lemma 3.9, trace{'y) = irace (71 )'~~irace (72) .... 
Since trace{'yi+i) = trace{ai+i) for all «, < «, and oq is a point trajectory, by Lemma 3.9, 
we get traceij) = trace{a) = (3. 



Example 4.34 (A backward simulation relation) This example illustrates the 
difference between forward and backward simulations. We consider two automata A and 
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B and show that a forward simulation from A to B does not exist while we exhibit a 
backward simulation from A to B. 

Let A and B be two comparable automata specified below. The trajectories consist of 
a set of point trajectories. This implies that the automaton does not allow time to pass 
— everything happens at time 0. 

• K4 = {stateA} and Vs = {stateB} where: 

stateA is a discrete variable with type{stateA) = {x_^,y_^,q_^,s_^}, and 
stateB is a discrete variable with type{stateB) = {xB,yBTyBTQBTSB}- 

• Qa = 'valiVA) and Qs = valCVs)- We write x_4 for the valuation that maps stateA 
to x_^, y^ for the valuation that maps stateA to x_^, etc. Similarly, we write xg for 
the valuation that maps stateB to xs, Yb for the valuation that maps stateB to xs, 
etc. 

• ©^ = {x^} and ©B = {xb}. 

• Eji = Eb = {a, b, c} and Hj, = Hb = 0. 

• T^A = {(x^,a,y.4),(yyt,^q^),(y^,c,s^)}, and 

T^B = {(xB,a,yB),(xB,a,yB)>(yB,^qB),(yB>c,SB)}. 

• Ta = {p(v) I V G Q^}, and 7b = {p(v) | v G Qb) 

The following are representations of automata A and B as directed multigraphs. The 
nodes in the graph represent states and the edges represent discrete transitions where a 
label on an edge stands for the action involved in the transition. 

h 

YB ^QB 





A B 

An obvious candidate for a forward simulation from ^ to B is the relation 
R = {(Xy4, xb), {ya, ys), {ya-: y'b)-> i^A-, Qb), (Sy4, Sb)}- However, observe that even though 
YA and yb are related by R, the execution fragment p(y^) c p(s^) of A cannot be 
matched by any execution fragment of B starting with state yb- Similarly, even though 
YA and y'b ^^^ related by R, the execution fragment p(y^) b p(q^) of A cannot be 
matched by any execution fragment of B starting with y'b- Therefore, R is not a forward 
simulation. In fact, there is no forward simulation relation from A to B: there are finitely 
many possibilities for forward simulations from A to B and we see that none of them is 
a forward simulation by examining all the possibilities. The main reason for this is that 
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while A makes the nondeterministic choice between performing 6 or c after performing a, 
B makes its choice earlier at the same time it performs a. 

There is, however, a backward simulation from A to B: the relation R defined above 
is a backward simulation. ■ 

4.5.4 History Relations 

A relation R C Q^ x Qb is a history relation from ^ to B if i? is a forward simulation 
from A to B and R~^ is a refinement from B to A- History relations induce a preorder 
between timed automata. 

An automaton B is obtained from an automaton A by adding history variables if there 
exists a set of variables V such that 

1. Vb = VaUV and F^ n F = 0, 

2. Qb ^ valCVs) such that Qs \ V_^ C Q^, and 

3. The relation {(x, y) | y G Qb and y [ F4 = x} is a history relation from A to B. 

The method of adding history variables is typically used to make it possible to establish 
an implementation relationship using a refinement. If a refinement does not exist from a 
low-level automaton to a higher-level one, it can often be made to exist by adding history 
variables to the low-level automaton. 

Example 4.35 (Adding history variables to obtain a refinement) We cannot show 
that TimedChannel{h,M) is an implementation oi TimedChannel2{b,M) from Exam- 
ple 4.26 by using a refinement. This is because we have no way of specifying what the 
subsequence before the pointer should be in TimedChannel2{h,M) when relating the 
states of the two automata. This example shows how we can add history variables to 
TimedChannel{h,M) (actually, we add just one variable) to obtain a new automaton 
that is related to TimedChannel2{h,M) by a refinement. 

Let log be a discrete variable whose static type is the same as the static type of 
queue in TimedChannel{h,M) and let the initial value of log be the empty sequence. 
We define a new automaton TimedChannelH{h, M) whose set of variables consists of 
the variables of TimedChannel{h,M) and the variable log. The rest of the definition 
oiTimedChannelH{h,M) is the same as TimedChannel{h, M) except for the transition 
definition for receive{m). A receive{m) event in TimedChannelH{b, M) not only removes 
the first message from the message queue but also appends this message to the sequence 
contained in log. 

Let Vi, V2 be the set of variables and Qi, Q2 be the set of states oiTimedChannelib, M) 
and TimedChannelH {b, M) respectively. It is easy to verify that the relation {(x, y) | y G 
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Q2 and y [ Vi = x} is a history relation from TimedChannel{h, M) to TimedChannelH{h, M). 
This means that TimedChannelH{b, M) is obtained from TimedChannel{h, M) by adding 
a history variable. 

We now define a refinement F from TimedChannelH{h, M) to TimedChannel2{b, M) 
as follows. In our definition we assume the following conventions. Concatenation on the 
left corresponds to putting an element on the front of a queue. Recall also that we use 
juxtaposition for concatenation of sequences. If x is a state of TimedChannelH{b, M) 
and y is a state of TimedChannel2{h, M), then -F(x) = y where: 

1. y(now) = -x.{now). 

2. y{queue) = x{log) x{queue) such that |x(/og)| = y{ptr) — 1. 



Whenever an automaton B is obtained from A by adding history variables, then there 
exists a history relation from ^ to B by definition. Theorem 4.36 states that the converse 
also holds, if isomorphic automata are considered. 

Theorem 4.36 Let A and B be two comparable TAs such that V^ o-nd Vb are disjoint. 
Suppose that there is a history relation from A to B. Then, there exists an automaton C 
that is isomorphic to B and is obtained from A by adding history variables. 

Proof: Let R be a history relation from A to B. Define automaton C as follows: 

• Vc = VaIJ Vb. 

• Qc = {x G val{Vc) I {^\Va,^\Vb) e R}. 

• ec = {xGQc I ^iVBeOBJ. 

• Ec = Eb and He = Hb. 

• X Ac y if and only if x [ Fg Ag y [ Vb. 

• X — )-c y if and only if x [ l^ Ag y [ Fg where ri = r | Vb. 

Let F : Qc ^ Qb be defined such that F{x.) = x\ Vb for all x G Qc- The function F 
is an isomorphism from C to B: It is easy to check that F is a refinement from C to B. 
We can also easily verify that F~^ is a refinement from B to C, by definition of C and the 
fact that R~^ is a function from the states of B to the states of A. 

Now, we verify that C is obtained from A by adding history variables. Let Vb be the 
variable set V required in the definition of a history variable and let R'= {(x,y) | y G 
Qc /^ y \ V_^ = x}. We need to show that R' is a history relation from A to C. 
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1. i?' is a forward simulation from A to C. 

By definitions of the relations F, R' and the automaton C, R' = F~^ o R. Since F~^ 
is a refinement from B to C, by Theorem 4.28, we know that it is a forward simulation 
from B to C. Since i? is a forward simulation from A to B, by Theorem 4.21 we have 
R' is a forward simulation from A to C, as needed. 

2. R'~ is a refinement from C to A- 

By definitions of the relations F, R' and the automaton C, R'~ = R~^ o F. Since F 
is a refinement from C to B and ii!~^ is a refinement from B to A, by Theorem 4.29, 
we have R'~ is a refinement from C to ^, as needed. 



The following theorem shows that forward simulations are essentially the same as 
history relations combined with refinements. 

Theorem 4.37 Let A and B be two comparable TAs such that F4 and Vb are disjoint. 
There is a forward simulation from A to B if and only if there exists a TA C such that 
there is a history relation from A to C and a refinement from C to B. 

Proof: To prove the implication ^, suppose i? is a forward simulation from A to B. Let 
C be an automaton defined as follows: 

• Vc = VaU Vb. 

• Qc = {x G valiVc) I {^\Va,^\Vb) eR}. 

• ec = {xGQc I xrv^Ge^AxrFsGes}. 

• Ec = Ejy and He = H^. 

• X — )-c y if and only if both of the following conditions hold: 

1. ^IVa^ayIVa. 

2. There exists an execution fragment (3 oiB such that p.fstate = x [ Vs, p.lstate = 
y \Vb, and trace{(3) = trace{p{x.) a p(y)). 

• X — )-c y if and only if both of the following conditions hold: 

1. Ti =T IVaETa and x [ ^4 A^ y [ Va. 



2. T2 = T I Ve G 7b and x [ Fg Ag y [ Vg. 
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Let TTA and ttb be the functions that restrict states of C to, respectively, V^ and Vs- 
It follows from the definitions that tt^ is a history relation from ^ to C and ttb is a 
refinement from C to B. 

For the implication <^, suppose that there is a history relation from ^ to C and that 
there is a refinement from C to B. Then, by definition of a history relation, we know that 
there is a forward simulation from ^ to C. We also know that there is a forward simulation 
from C to B by Theorem 4.28. It follows that there is a forward simulation from A to B, 
as needed. 



Example 4.38 (Theorem 4.37 applied to time-bounded channels) In Exam- 
ple 4.26, we demonstrated a forward simulation from the automaton TimedChannel{b, M) 
to the automaton TimedChannel2{h, M) . Theorem 4.37 implies that there exists an au- 
tomaton A such that there is a history relation from TimedChannel{h,M) to A and a 
refinement from A to TimedChannel2{b, M). The automaton TimedChannelH{h,M) 
from Example 4.35 is a witness for A. 



4.5.5 Prophecy Relations 

A relation R C Q^ x Qb is a prophecy relation from ^ to B if i? is a backward simulation 
from AtoB and R~^ is a refinement from B to A- Prophecy relations induce a preorder 
between timed automata. 

An automaton B is obtained from an automaton A by adding prophecy variables if 
there exists a set of variables V such that 

1. Vb = ^4 u F and F4 n F = 0, 

2. Qjs C Da/(Vg) such that Qs \V^'^ Q^, and 

3. The relation {(x, y) | y G Qb and y [ V^ = x} is a prophecy relation from A to B. 

Example 4.39 (Adding prophecy variables to obtain a refinement) In this example 
we consider adding a prophecy variable to the automaton A from Example 4.34. Let C be 
an automaton defined as follows: 

• Vc = K4 U {v} where u is a discrete variable with type{v) = {6, c}. 
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• Qc = {xc,x^,yc,yc,qc,sc} such that 

^c\Va = ^A and xc \{v} = b 
^c r Ka = ^A and x^ [{u} = c 
yc r VU = y^t and yc \{v} = b 
y'c\VA = YA and y^ [{f } = c 
<ic\VA = qA and qc [{f } = b 
sc\Va = sa and sc \{v} = c 

• Ec = {a,6, c}. 

• Dc = {(xc,a,yc),(xc,a,yc),(yc,&,qc),(yc>c,sc)}. 

• Tc = {p(v) I V G Qc). 



x^ 




xc 



■yc 



-y^ 



qc 



Sc 



A 



The relation R= {(x^,xc), (x^,x'f.), (y^,yc), (y^,yc), (q^i, qc), (§^4, sc)} is a back- 
ward simulation from ^ to C and R~^ is a refinement. Therefore, C is obtained by adding 
a prophecy variable to A. Note that there is no refinement from AtoB defined in Exam- 
ple 4.34. However, the relation F = {(xcxg), (x^,xb), (ycye), (yciyg), (qc, qe), (sc, Sb)} 
is a refinement from C to B. ■ 



Theorem 4.40 Let A and B be two comparable TAs such that V^ o-nd Vb are disjoint. 
Suppose that there is a prophecy relation from A to B. Then, there exists an automaton 
C that is isomorphic to B and is obtained from A by adding prophecy variables. 

Proof: The proof is analogous to the proof of Theorem 4.36. We assume a backward 
simulation relation R instead of a forward simulation relation. We construct the automaton 
C as in Theorem 4.36 and verify that it is obtained from A by adding a prophecy variable. 
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Theorem 4.41 Let A and B be two comparable TAs such that V^ o-nd Vb are disjoint. 
There is a backward simulation from A to B if and only if there exists a TA C such that 
there is a prophecy relation from A to C and a refinement from C to B. 

Proof: The proof is analogous to the proof of Theorem 4.37. We assume a backward 
simulation relation R instead of a forward simulation. The construction of the automaton 
C and the reasoning that follows are similar. ■ 

Example 4.42 (Theorem 4.41 applied to Examples 4.34 and 4.39) In Exam- 
ple 4.34, we demonstrated a backward simulation from A to B. Theorem 4.41 implies that 
there exists an automaton C such that there is a prophecy relation from ^ to C and a 
refinement from C to B. The automaton C defined in Example 4.39 constitutes a witness 
for C. m 



5 Operations on Timed Automata 

In this section, we introduce four kinds of operations on timed automata: parallel compo- 
sition, hiding, adding lower and upper bounds for tasks, and untiming. 

5.1 Composition 

5.1.1 Definitions and Basic Results 

The composition operation for timed automata allows an automaton representing a com- 
plex system to be constructed by composing automata representing individual system 
components. Our composition operation identifies external actions with the same name 
in different component automata. When any component automaton performs a discrete 
step involving an action a, so do all component automata that have a as an external ac- 
tion. The composition operator for timed automata is simpler than it is for general hybrid 
automata since all the variables in a timed automaton are internal.^ 

Formally, we say that timed automata Ai and A2 are compatible iiHir\A2 = H2r\Ai = 
and Xir\X2 = 0. If ^1 and A2 are compatible then their composition Ai\\A2 is defined 
to be the structure A = {X, Q, ©, E, H, V, T) where 

• X = XiUX2. 

• Q = {x G val{X) I X [X, G Qj, i G {1,2}}. 



^The composition operation for general hybrid automata requires external variables to be identified as 
well as external actions. When any component automaton follows a particular trajectory for an external 
variable v, then so do all component automata of which v is an external variable. 
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• e = {xG Q |x[Xj G ei,'i G {1,2}}. 

• E = E1UE2 and H = HiU H2. 

• For each x, x' G Q and each a G ^, x — >^ x' iff for i G {1, 2}, either (1) a ^ Ai and 
X [Xj 4i x' \Xi, or (2) a ^ ^j and X [Xj = x' \ Xi. 

• T C trajs{X) is given by r G T <^ r | Xj G 71, « G {1, 2}. 

Theorem 5.1 If Ai and A2 are timed automata then Ai\\A2 is a timed automaton. 

Lemma 5.2 Let A = Ai\\A2 and let a be an execution fragment of A. Then a \{Ai,Xi) 
and a\{A2,X2) are execution fragments of Ai and A2, respectively. Furthermore, 

1. a is time-bounded iff both a \{Ai,Xi) and a \{A2,X2) are time-bounded. 

2. a is admissible iff both a \{Ai,Xi) and a [(^2,-^2) are admissible. 

3. a is closed iff both a \{Ai,Xi) and a [(^2,-^2) are closed. 

4. a is non-Zeno iff both a \{Ai,Xi) and a \{A2,X2) are non-Zeno. 

5. a is an execution iff both a \{Ai,Xi) and a \{A2,X2) are executions. 

Lemma 5.3 Let A = Ai \\A2, and let a be an execution fragment of A. Then, for i = 1,2, 
trace {a) \{Ei,$) = trace{a \{Ai,Xi)). 

The following theorem is a fundamental theorem that relates the set of traces of a com- 
posed automaton to the sets of traces of its components. Set inclusion in one direction 
expresses the idea that a trace of a composition "projects" to yield traces of the compo- 
nents. Set inclusion in the other direction expresses the idea that traces of components 
can be "pasted" to yield a trace of the composition. 

Theorem 5.4 Let A = Ai\\A2- Then traces^ is exactly the set of (E, $)-sequences whose 

restrictions to Ai and A2 are traces of Ai and A2, respectively. 

That is, traces^ = {13 \ 13 is an {E,$)- sequence and (3 [(£'i,0) G traces_^^,i G {1,2}}. 

Notation: The compatibility conditions for composition require the set of internal vari- 
ables of each automaton to be disjoint from the set of internal variables of all the other 
automata in the composition. We use a general scheme to disambiguate the internal 
variables of components in order to avoid possible name clashes that can violate the com- 
patibility conditions. If A is the name of an automaton and v is an internal variable of A, 
then we refer to this variable as A.v in the composite automaton. 

Example 5.5 (Periodic sending process with timeouts) Let C be the composition 
of three automata from Examples 4.1, 4.2 and 4.4: 
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C = PeriodicSend{ui, M) \\ TimedChannel{b, M) \\ Timeout{u2 , M) 
where M = {mi, . . . , mn} and b + ui < U2- The following sequence is a trace of C. 

a = To send(mi) ri recewe{mi) T2 send{m2) T3 recewe{m2) T4 . . . 
where e is the set consisting of the function with the empty domain and 
To : [0, ui] -^ e Ti : [0, 6] -^ e T2 : [0, ui -h]^ e T3 : [0, 6] -^ e T4 : [0, ui -h]^ e 
The following invariant states that C never performs a timeout action. 

Invariant 1 : In any reachable state x of C , ^{Timeout. suspected) = false. 

In order to prove this invariant we can use an auxiliary invariant such as the one below, 
which establishes the fact that every message is delivered before the variable now, which 
keeps track of real-time, reaches the point at which a timeout action occurs. 

Invariant 2 : 

1. if x{Tim,edChannel. queue) is not empty then 

x{Tim,edChannel. queue) (1) < x{Tim,edChannel.now) + U2 — x{Tim,eout. clock). 

2. if x{Tim,edChannel. queue) is empty then 

ui — x{PeriodicSend.clock) +b < U2 — ^{Timeout. clock). 



Example 5.6 (Periodic sending process with failures and timeouts) In this ex- 
ample, we consider a composite automaton defined exactly like the one in Example 5.5 
except that the automaton PeriodicSend{ui,M) is replaced with PeriodicSend2{ui, M). 
Let C = PeriodicSend2{ui, M) \\ Tim,edChannel{b, M) \\ Tim,eout{u2, M). The follow- 
ing sequence is a trace of C. 

To send{m,i) ti receive{mi) T2 fail T3 timeout T4 

where e is the set consisting of the function with the empty domain and 

To : [0, ui] — )■ e Ti : [0, 6] — )■ e T2 : [0, 6] — )■ e T3 : [0, U2 — b] ^ e T4 : [0, 00) — )■ e 
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According to this sample trace, the first message sent by the periodic sending process 
is received exactly b time units after it is sent. The periodic sending process fails 26 time 
units after sending its first message. The timeout process performs a timeout since no 
second message arrives within the next U2 time units after the receipt of the first message. 

The following invariant states that a timeout performed by C can be used to conclude 
that the sender process has failed. 

Invariant 1 : LetC = PeriodicSend2{ui, M) \\ TimedChannel{h,M) \\ Tim,eout(u2, M) 
and assume that b + ui < U2- In any reachable state x ofC, if x{Tim,eout. suspected) = 
true then x{PeriodicSend2.f ailed) = true. 

The automaton C is guaranteed to perform a timeout to signal the failure of a process, 
within a specified amount of time after the occurrence of a fail event. The following is a 
formal statement of this property. 

Let a be an execution of C and let t be the point in time at which a fail event occurs 
in a. Then a includes a timeout event that occurs in the interval (t + b,t + b + U2]- ■ 

Example 5.7 (Clock synchronization) In this example we consider the composition 
of three clock synchronization automata with six time-bounded channel automata. A 
graphical representation of the composite automaton is given below. The abbreviation 
CSi represents the automaton ClockSync{u, p)i. The abbreviation TCjj represents the 
timed channel that communicates messages from Clock Sync{u,p)i toClockSync{u, p)j. 
We assume that the time-bounded channel automata used in this composition are defined 
as in Example 4.1 where receive and send actions in each instance are renamed such that 
they can be shared with clock synchronization automata. Let C be 

ClockSync{u, p)i\\ClockSync{u, p)2\\ClockSync{u, p)3\\ 

TimedChannel{b, M)i\\ . . . \\TimedChannel(b, M)q where M = R+. 
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receive{m)s. 




receive{m)s,2 



A physical clock diverges from real time at the largest rate when it evolves with rate 
1 + p oi 1 — p. For example, if a physical clock evolves with rate 1 + /?, then at time i, its 
value is i(l + p). Hence, the largest possible difference between a physical clock and the 
real time is tp. This property is stated by the invariant below. 

Invariant 1 : In any reachable state x ofC, at any time t eJ, for any i G {1,2,3}, 
\x{ClockSync{u, p)i.physclock) — i| < tp. 

Two physical clocks in C diverge at the largest rate when one evolves with rate 1+p and 
the other with 1 — p. It follows from Invariant 1 that, at any time t the largest possible 
difference between the physical clock values for two processes is 2tp. This property is 
formalized by the following invariant. 

Invariant 2 : In any reachable state x of C, at any time t E J, for any i,j G 
{1,2,3}, \x(ClockSync(u,p)i.physclock) — x.{ClockSync(u,p)j.physclock)\ < 2tp where 
i,jG {1,2,3}. 

The following invariant states that in any reachable state there exists a process j such 
that the logical clock of each other process in the system is smaller than or equal to the 
physical clock of j. This follows from the definition of a logical clock and the fact that 
physical clocks always increase. 

Invariant 3 : In any reachable state x ofC, there exists j G {1,2,3} such that for all 
i G {1,2,3}, x{ClockSync{u, p)i.logclock) < x{ClockSync{u, p) j .physclock) . 

The following invariant states that in any reachable state there exists a process j such 
that the logical clock of each other process in the system is larger than or equal to the 
physical clock of j. This follows from the definition of a logical clock. 
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Invariant 4 : In any reachable state x of C, there exists j G {1,2,3} such that for all 
i G {1,2,3}, x{ClockSync{u, p)i.logclock) > x{ClockSync{u, p) j .physclock) . 

Invariants 3 and 4 together are called validity properties. They express the condition 
that all the logical clocks remain in an envelope bounded by the maximum and minimum 
physical clock values in the system. 

The following invariant formalizes the property that all the logical clocks at a given 
time lie within the envelope formed by the largest and the smallest physical clock values 
in the system. It follows from Invariants 1, 3 and 4 that any point in this envelope can 
diverge from real time t by at most tp time units. 

Invariant 5 : In any reachable state x ofC, at any time t eJ, for any i G {1,2,3} 
\x{ClockSync{u, p)i.logclock) — i| < tp. 

Finally, we state a property about the agreement of logical clocks in C. 

Invariant 6 : In any reachable statex ofC, fori,j G {1,2,3}, \x{ClockSync{u, p)i.logclock)- 
x{ClockSync{u, p)j.logclock)\ < u + 6(1 + p). 

To see why Invariant 6 holds, fix j to be a process with the largest physical clock 
in X, and fix i to be any other process. Let Vj,Vi be the logical clock values of j and i 
respectively in state x. Note that Vj is also the physical clock value of j in x. By Invariant 
3, we know that Vi < Vj. To show Invariant 6, it suffices to show that Vj — Vi< u + h{l + p). 

Let q; be a finite execution that leads to state x. There are two cases to consider. 

1. Some message sent by j arrives at i in a. 

Consider the last such message and let vi be the value that it contains. Let V2 be 
the newly adjusted logical clock value of i immediately after the message arrives. 
We know that Vi> V2> vi. 

If j sends a later message to i in a, then it sends the next later message when its 
physical clock has value vi + u. By assumption, this message does not arrive at i. 
Therefore, the real time that elapses after sending it must be at most h. It follows 
that the physical clock increase of j since sending this message is at most h{l + p) 
and so Uj < vi+u + h{l + p). On the other hand, if j does not send a later message 
to i in q;, then Vj < vi + u. In either case, we have Vj < vi + u + 6(1 + p). Since 
Vi > ui, we have Vj — Vi <u + 6(1 + /?), as needed for Invariant 6. 

2. No message sent by j arrives at i in a. 

Since the first send occurs at time and 6 is the largest possible communication 
delay, the fact that i has not received the first message sent by j at time implies 
that i < 6. Since both clocks start at 0, we have Vj < 6(1 + p) and Vi > 0. Therefore, 
Vj — Vi < u + 6(1 + p), which suffices for Invariant 6. 
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5.1.2 Substitutivity Results 

Theorem 5.4, which relates the set of traces of a composed automaton to the set of traces 
of component automata, is fundamental for compositional reasoning. We now introduce 
another important class of results, substitutivity results, that are useful for decomposing 
verification of composite automata. These results are best understood by viewing one of 
the components of a composition as the system and the other as the environment with 
which the system interacts. 

The following result states that if a TA Ai can be shown to implement another one 
A2, with no assumptions about their environments, then Ai can be shown to implement 
A2 in a given environment B. 

Theorem 5.8 Suppose Ai, A2 and B are TAs, Ai and A2 have the same external actions, 
and each of Ai and A2 is compatible with B. If Ai < A2 then A\\B < A2\\B. 

Corollary 5.9 Suppose Ai, A2, Bi, and B2 are TAs, Ai and A2 have the same external 
actions, Bi and B2 have the same external actions, and each of Ai and A2 is compatible 
with each of Bi and B2- If Ai < A2 and Bi < B2 then ^i||-Si < ^2 1 1 -62. 

We can strengthen Corollary 5.9 slightly by the following corollary: if ^1 implements 
A2 in an environment B2, then Ai composed with an environment that is more restrictive 
than B2 (whose set of external behaviors is smaller than that of B2), implements A2 
composed with B2. 

Corollary 5.10 Suppose Ai, A2, Bi, and B2 are TAs, Ai and A2 have the same external 
actions, Bi and B2 have the same external actions, and each of Ai and A2 is compatible 
with each of Bi and B2- If Ai\\B2 < ^2||'S2 and Bi < B2 then ^i||-Si < ^2||'S2. 

Proof: Let /3 G traces j\^^\\fSi- By Theorem 5.4, /3 [(£^^^,0) G traces j^^ and /3 \{Eb^,^) G 
tracessi- Since Bi < B2, /3 [(-E'bi,0) G tracesB2- Since Bi and B2 have the same exter- 
nal actions, it follows that (3 [(£'^2,0) G tracesB2- We have /3 [(£'^^,0) G traces ^^ and 
l3\{EjS2-,^) G tracesB2- By Theorem 5.4, /3 G traces j^^\\q^. Since ^i||-S2 < ^2||'S2 by 
assumption, /3 G traces j^^\\q^, as needed. 



For other preorders, we also get substitutivity results, for example: 

Theorem 5.11 Suppose Ai, A2 and B are TAs, Ai and A2 have the same external 
actions, and each of Ai and A2 is compatible with B. 
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1. If every closed trace of Ai is a trace of A2 then every closed trace of Ai\\B is a trace 
ofA2\\B. 

2. If every admissible trace of Ai is a trace of A2 then every admissible trace of Ai\\B 
is a trace 0/^211-6. 

3. If every non-Zeno trace of Ai is a trace of A2 then every non-Zeno trace of Ai\\B 
is a trace of A2\\B. 



Example 5.12 (A counterexample for a desirable substitutivity theorem) Sup- 
pose Ai and A2 have the same external actions, Bi and B2 have the same external actions, 
and that each of Ai and A2 is compatible with each of Bi and B2- If we view A2 and 
B2 as specifications and want to prove that ^i||-Si < ^2 1 1 -62, it would be useful to have 
a theorem that says if ^i||B2 < ^2||'S2 and ^2||'Si < ^2||'S2 then ^i||Bi < ^2||'S2. That 
is, if Ai implements A2 in the context of B2 and Bi implements B2 in the context of 
A2, we would like to conclude that ^i||-Si implements ^2 1 1 -62. We show by means of a 
counterexample that it is impossible to prove such a theorem. 

Consider the definitions of automata Ai,A2,Bi, B2 in Figures 11 and 12. All automata 
have the same set of actions, consisting of the external actions a and b. Ai can perform 
an arbitrary number of 6s, and can perform an a provided that the count of as and the 
count of 6s are equal. Ai allows the count of as to increase to one more than the count of 
6s. 

Bi can perform an arbitrary number of as, and can perform a 6 provided that the 
count of as is one more than the count of 6s. Bi allows the count of 6s to reach the count 
of as. 

A2 has an infinite number of start states, each giving a different finite bound on the 
number of a actions it can perform. Similarly, B2 has an infinite number of start states, 
each giving a different finite bound on the number of 6 actions it can perform. 

Clearly, ^i||B2 < ^2||'S2, and ^2||'Si < ^2||'S2. On the other hand, ^i||-Si can per- 
form an infinite sequence of alternating as and 6s, which is not allowed allowed by the 
specification ^2 1 1 -62 This implies that ^i||-Si does not implement ^2 1 1 -62. ■ 

In Section 8, we revisit the substitutivity issue and prove Theorem 8.8, a variant of 
the desirable theorem considered in the above example, by assuming certain conditions on 
the environments A2 and B2. 

5.2 Hiding 

We define one hiding operation for timed automata, which hides external actions: if 
E C Ej^, then ActHide(£',^) is the TA B that is equal to A except that E^ = Ej^ - E 
and Hb = HjiU E. 
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Automaton Ai 
Variables X : 

States Q : 
Actions A : 
Transitions V 



discrete counta € Z initially 
discrete countb G Z initially 

val{X) 

external a, b 

external a 
precondition 

countb = counta 
effect 

counta := counta + 1 

external b 
effect 

countb := countb + 1 



Trajectories T : {p(x) | x 6 Q} 



Automaton Bi 
Variables X : 

States Q : 
Actions A : 
Transitions V 



discrete counta G Z initially 
discrete countb G Z initially 

val{X) 

external a, b 

external b 
precondition 

counta = countb + 1 
effect 

countb := countb + 1 



external a 
effect 

counta 



counta + 1 



Trajectories T : {p(x) | x G Q} 



Figure 11: Automata Ai and Bi 
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Automaton A2 
Variables X : 

States Q : 
Actions A : 
Transitions V 



Trajectories T 



discrete maxcount e Z-" initially arbitrary 
discrete counta 6 Z-° initially 

val{X) 

external a, b 

external a 
precondition 

counta < maxcount 
effect 

counta := counta + 1 

external b 

{p(x) I X 6 g} 



Automaton B2 
Variables X : 

States Q : 
Actions A : 
Transitions V 



Trajectories T : 



discrete maxcount € Z-° initially arbitrary 
discrete countb 6 Z-° initially 

val{X) 

external a, b 

external b 

countb < maxcount 
effect 

countb := countb + 1 

external a 

{p(x) I X 6 g} 



Figure 12: Automata A2 and B2 
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Lemma 5.13 If E C E^ then ActHide(£',^) is a TA. 

Lemma 5.14 If A is a TA and E C Ej\^ then traces p,ctH\de{E, A) = {P \{^A - E,^) | /3 G 
traces j^}. 

The following theorem states that the hiding operation respects the implementation 
relation. 

Theorem 5.15 Suppose A and B are TAs with A < B, and suppose E C E_^. Then 
ActHide(^,^) < ActHide(^,B). 

5.3 Extending Timed Automata with Bounds 

In this section, we define a new class of automata, "TA with bounds" where the basic 
definition of a timed automaton is extended with the notion of a task and a pair of bounds 
(a lower and an upper bound) for each task. We then define an operation that transforms 
a given TA with bounds to another TA. This operation supports specifying a system by 
thinking in terms of tasks and bounds as in the timed automata of Merritt, Modugno, and 
Tuttle [29] and the phase transition systems of Maler, Manna and Pnueli [28]. 

In defining the operation for extending timed automata with bounds, we restrict atten- 
tion to a class of automata where the enabling and disabling of actions during trajectories 
follow certain rules. Specifically, our operation is defined on automata in which each action 
is enabled or disabled throughout an entire trajectory, or becomes enabled once during a 
trajectory and remains so until the end of that trajectory. The given restrictions ensure 
that the result of applying the operation to a TA is another TA and that the resulting TA 
satisfies the restrictions. 

Let ^ be a TA, C a set of actions of A, and T the set of trajectories of A. We say that 
T is well-formed with respect to C if each t & T satisfies one of the following conditions: 

1. For all t G dom{T), C is enabled in T{t). 

2. For all t G dom{T), C is disabled in T{t). 

3. There exists t G dom{T) such that for all t' G [0, t), C is disabled in T{t') and for all 
t' G dom{T) — [0, i), C is enabled in T(t'). 

A TA with hounds, A = {B,C,l,u) consists of: 

• A timed automaton B = {X,Q,Q,E,H,V,T). 

• A set C C E U H oi actions called a task; we assume that T is well- formed with 
respect to C. 

65 



• A lower time bound I and an upper time bound u for C. We require that the 
following axioms are satisfied for I and u: 

Bl / G R^° and u G R^° U {oo}. 
B2 I <u. 

Lower and upper bounds are used to specify how much time is allowed to pass between 
the enabling and the performance of an action. If I is the lower bound for a task C, then 
an action in C must remain enabled at least for / time units before being performed. If u 
is the upper bound for a task C, then an action in C can remain enabled at most u time 
units without being performed: it must either be performed or become disabled within u 
time units. 

We now define an operation Extend, which transforms a TA A with bounds to another 
TA A' that incorporates the new bounds, in addition to the timing constraints already 
present in A. Let A = (B, C, I, u) be a TA with bounds where B = {X, Q, 6, E, H, V, T). 
Then Extend (^) is the TA A' = (X', Q', 6', £", H', V, V) such that the components of A' 
consist of: 

• X' = X V^ {now, first, last} where: 

1. now, first, and last are new variables that do not appear in X. 

2. now is an analog variable such that type{now) = R. 

3. first and last are discrete variables where type{first) = R and type{last) = 
RU{oo}. 

• Q' = {xG val{X') I x[X gQ}. 

• ©' consists of all the states x G Q' that satisfy the following conditions: 

1. x[x G e. 

2. ■x.{now) = 0. 

I if C is enabled in x [X, 



'0 otherwise. 

. , , ^ \ u if C is enabled in x f X , 
yiilast) = < ,, . 

[ oo otherwise. 

E' = E and H' = H. We write A' = E' V^ H' . 

If a G (E L) H) then (x, a, x') G V exactly if all of the following conditions hold: 

1. (xrx)A^(x'rx). 

2. x.'(now) = x(now). 
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3. (a) If a G C, then x{first) < -x.{now). 

(b) If C is enabled both in x [X and x' [X and a ^ C, then x{first) = x' (first) 
and x{last) = x.'{last). 

(c) If C is enabled in x' [ X and either C is not enabled in x [ X or a G C, 
then x' {first) = -x.{now) + I and x.'{last) = x{now) + u. 

(d) If C is not enabled in x' \ X, then x.' (first) = and x.'(last) = oo. 

• T' is a set that consists of all r G trajs(X') that satisfy the following conditions: 

1. (tIX) €T. 

2. d(now) = 1. 

3. (a) If for all t G dom(T), C is enabled in r J, X(t) then /irsi and last are 

constant throughout r. 

(b) If for all t G dom(T), C is disabled in r | -'^l^) then /irsi and last are 
constant throughout r. 

(c) If for all t' G [0,t), C is disabled in T(t') and for all t' G dom(T) - [0,t), C 
is enabled in T(i') then 

i. first and ksi are constant in [0, t). 

ii. T(t)(first) = T(t)(now) + I and T(t)(last) = T(t)(now) + u. 
iii. first and ksi are constant in dom(T) — [0, t). 

(d) now < last. 

The transformation is based on the idea of augmenting the state of the original au- 
tomaton with a variable to represent current time (now) and the earliest time (first) and 
the latest time (last) a task can be performed. All these variables represent time in ab- 
solute terms. Item 3(a) in the definition of V expresses the new lower bound constraint 
and Item 3(d) in the definition of T' the new upper bound constraint. 

Let ^ be a TA with bounds (B, C, I, u). In a start state x of Extend (^), the variables 
first and last are initialized to I and u respectively, if C is enabled in x. If C is not enabled 
in X, then first is set to and last is set to oo. Items 3(c) in the definition of "D' and 3(c) in 
the definition of T' show how the variables first and last are updated. When C becomes 
newly enabled by a discrete transition or when a C action leads to a state in which C is 
enabled, first is set to now + 1 and last is set to now +u. The variables first and last are 
updated similarly when C becomes newly enabled in the course of a trajectory. 

Theorem 5.16 Suppose that A = (B,C,l,u) is a TA with bounds. Then Extend(^) is a 

TA with a set of trajectories that is well-formed with respect to C. 

Proof: The proof follows from the definitions of TA and the operation Extend. Step 
3(a) in the definition of V adds a new lower bound constraint, which makes enabling 
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start at some particular time. Step 3(6) in the definition of T', adds a new upper bound 
constraint, which stops trajectories at a particular time and which does not add any 
enabling or disabling to trajectories. ■ 

In the rest of this section, we sometimes speak of variables, states and traces of a TA 
with bounds. If ^ = {B,C,l,u) is a TA with bounds, variables, states and traces of A 
refer to, respectively, the states and the traces of the underlying automaton B. 

Theorem 5.17 Suppose A = {B,C,l,u) is a TA with bounds. Then traces Extend (^4) ^ 
traces _^. 

Proof: Let F : Q' ^ Q he defined as follows: -P'(x) = x\ X where X is the set of 
internal variables of A. It is easy to check that F is a refinement from Extend (^) to A. 
By Theorem 4.28 and Corollary 4.24, we conclude that iracesExtend(^) ^ traces_^. ■ 

Lemma 5.18 Suppose that A is a TA with bounds. For any reachable state x ofExtend{A), 
if C is enabled in x\ X in A, then x(/asi) < x{now) + u. 

Proof: Consider a closed execution a of Extend (^). Using the axioms Tl and T2 for 
trajectories, we can write o; as a concatenation of closed execution fragments ao'^ai'^. . . a^ 
where ao is a point trajectory, and each ai for « > 1 is either a trajectory or a discrete action 
surrounded by two point trajectories such that for all < i < fc — 1, ai.lstate = ai+i.f state. 
We prove the invariant by induction on the length k of the sequence of execution fragments. 

For the base case, suppose that C is enabled in a^.f state \X. Since a is an execu- 
tion, we know that a^.fstate is a start state of Extend (^). By definition of Extend (^), 
ao.fstate{last) = u. Since a^.f state {now) = 0, a^.f state {last) < a^.f state {now) + u, as 
required. 

For the inductive step, we assume that the property is true for the sequence q;o ^ q;i ^ 
. . .a^ and show that it is true in the sequence a^+i \n a^'^ ai'^ . . . a^'^ ock+i- There are 
two cases to consider depending on whether ak+i is a discrete action surrounded by two 
point trajectories or a trajectory. 

1. ak-\-i is an action a surrounded by two point trajectories. Suppose that C is enabled 
in a^+i.lstate. There are two subcases to consider: 

(a) C is enabled in a^.lstate \ X and a ^ C. 

Then, a k+i.f state {last) = ak.fstate{last) and ak+i.fstate{now) = ak.fstate{now) 
By inductive hypothesis, ak.lstate{last) < ak.lstate{now) +u. Therefore, 
ak+i.lstate{last) < ak+i.lstate{now) +u, as needed. 
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(b) C is disabled in a^-lstate \X oi a ^ C. 

Then, by definition of Extend (^), ak+i-lstate{last) = ak-\-i-lstate{now) + u, 
which suffices. 

2. a^+i is a trajectory. 

Suppose that C is enabled in ak+i-lstate \ X in A. There are two subcases to con- 
sider: 

(a) C is enabled in a^+i-f state \ X in A. 

By inductive hypothesis a^^i. f state (last) < ak+i-fstate{now) + u. By the well- 
formedness assumption, we know that C must be enabled throughout ak+i and 
by definition of Extend (^) last is constant throughout a^+i- Since the value of 
now increases, it is easy to see that ak+i-lstate{last) < ak+i-lstate{now) +u. 

(b) C is disabled in a^+i-fstate \ X in A. 

Then, since it is enabled in a^+i-lstate \ X by the well-formedness assumption, 
it becomes enabled at some point t in the domain of a^+i and remains en- 
abled thereafter. Therefore, ak-\-i{t){last) = ak-\-i{t){now) + u, by definition 
of Extend (^). Since last remains constant after it is set and the value of now 
increases, ak+i-lstate{last) < ak+i-lstate{now) + u holds. 



The theorem below shows that the executions of an automaton obtained by applying 
the transformation Extend to a TA with bounds respect the time bounds specified by the 
lower bound I and the upper bound u. 

Theorem 5.19 LetA= {B,C,l,u) be a TA with bounds. Then, 

1. There does not exist a closed execution fragment a of Extend (^) from a reachable 
state, where a.ltime > u, C is enabled in A in all the states of a \{A,X) and no 
action in C occurs in a. 

2. There does not exist a closed execution fragment a of Extend (^) from, a reachable 
state, where a.ltime < I, such that C is not enabled in A in the first state of a \{A, X) 
and an action in C occurs in a. 

Proof: 

1. Suppose, for the sake of contradiction, that there exists a closed execution fragment 
a = To aiTi 02 . . . Tn oi Extend (^) from a reachable state, where a.ltime > u, C is 
enabled in A in all the states of o; [(^4, X) and none of the Oi in a is in C. By definition 
of trajectories for Extend(^) it must be the case that a.lstate{now) < a.lstate{last). 
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Since C is enabled in A in all states in a, by Lemma 5.18 we have a. f state {last) < 
a.fstate{now) +u. By definition of Extend(vA), last remains constant throughout a; 
therefore, a.lstate{last) = a. f state (last). Since a. f state (last) < a.fstate{now) + u, 
it follows that a.lstate{last) < a.fstate{now) + u. By definition of a, we have 
a.lstate{now) = a. f state (now) +a.ltime. It follows that a. f state (now) + a.ltime < 
a. f state (now) + u. This implies a.ltime < u. But this gives us the needed contra- 
diction since a.ltime > u. 

2. We assume that o; is a closed execution fragment of Extend(^) from a reachable state 
where a.ltime < I, such that C is not enabled in A in the first state of a and an 
action in C occurs in a. Let (x, a, x') be the first discrete transition of Extend (^) in 
a such that a E C. We show that the condition x{first) < xinow), which has to hold 
for the discrete transition to occur, cannot be true, hence arrive at a contradiction. 

By Theorem 5.16, the set of trajectories of Extend (^) is well-formed with respect 
to C. Therefore, C can become enabled by either a discrete transition or during a 
trajectory, and remains enabled until the occurrence of (x, a, x'). 

(a) C becomes enabled by a discrete transition and remains enabled in A until the 
occurrence of (x, a, x'). 

Let (y,6, y') be the discrete transition of A that enables C. By item 3(c) in 
the definition of V we know that first is set to y(now) + / when C becomes 
enabled. By item 3(6) in the definition of "D' and 3(a) in the definition of T', we 
know that it remains constant so that x{first) = y{now) + I. Since (x, a, x') is 
a discrete transition of Extend(^), it must be the case that x{first) < x{now). 
Since -x.{now) < y{now) + a.ltime and x{first) = y{now) + I it follows that 
y(now) + 1 < y{now) + a.ltime. But we know by assumption that a.ltime < I 
which gives the needed contradiction. 

(b) C becomes enabled at some point in the course of a trajectory r and remains 
enabled in A until the occurrence of (x, a, x'). 

Let y be a state in the range of r where C becomes enabled. By item 3(c) in 
the definition of T' we know that first is set to y{now) + I when C becomes 
enabled and it remains constant in r so that x{first) = y{now) + I. By item 
3(6) in the definition of V and 3(a) in the definition of T', we know that 
first remains constant until the occurence of (x, a,x'). Since (x,a,x') is a 
discrete transition of Extend(v4), it must be the case that x{first) < x{now). 
Since x{now) < y{now) + a.ltime and x{first) = y{now) + I it follows that 
y{now) + I < y{now) + a.ltime. But we know by assumption that a.ltime < I 
which gives the needed contradiction. 
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Example 5.20 (Fischer's mutual exclusion algorithm specified using tasks and 
bounds) 

In Example 4.5 we presented the specification of Fischer's mutual exclusion algorithm 
as a TA. This example illustrates an alternative way of specifying the same algorithm by 
using a TA with bounds. 

Recall that, formally, we define a TA with bounds as a TA augmented with a single 
task along with lower and upper bounds for that task. The automaton in Figure 13 is, 
however, augmented with a set of tasks and bounds. This is for notational convenience 
and the automaton in Figure 13 should be viewed as the automaton representing the 
cumulative result of adding in successive steps two tasks for each « G 7. We assume that 
Extend is applied once for each task. That is, we start with the timing-independent version 
oi FischerME, apply Extend to the automaton augmented with the task {seti} to add the 
lower bound and the upper bound Uset^ then apply Extend to the resulting automaton 
augmented with {checki} to add the lower bound Icheck and the upper bound oo. Such 
two successive applications are allowed since the result of the first application of Extend 
satisfies the the well-formedness conditions for the set of trajectories. 

The result of these successive applications yields an automaton similar to the one in 
Example 4.5. The only difference is that the mechanical application of the transformation 
would reset the value of firstcheck[i] to as an effect of checki while we do not reset 
firstcheck[i] explicitly in 4.5, when it becomes disabled. This is because we make use 
of the facts that the value of firstcheck[i] is used only in determining whether checki is 
enabled and that checki becomes enabled only in the poststate of seti which also sets the 
value of firstcheck[i]. Note that this discrepency does not give rise to any difference in 
the behaviors of the two automata. ■ 



5.4 Untiming 

We define an "untiming" operation that transforms a timed automaton to an untimed 
automaton of the kind defined in Section 2.5. The idea behind this operation is to reduce 
the state space of a timed automaton by identifying those states that are equivalent in 
the sense that they give rise to similar discrete behavior. The executions of the untimed 
automaton obtained as a result of applying the untiming operation to a TA, A, preserve 
the order of discrete actions of A but forget the possible time passage between them. This 
operation has its roots in a similar operation defined in [6, 4] but we do not deal with the 
finiteness of the resulting state space and ease of reachability analysis, as those papers do. 
Instead, we aim to understand the main ideas of the untiming operation of [6, 4] using our 
more general framework. 

The untiming operation uses the notion of congruence defined below to determine 
equivalence classes of states. 
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Type PcValue = enumeration rem, test, set, check, leavetry,crit,leaveexit 

Automaton Fischer M E2{uset,lcheck, I) where Uset £ R-°, Icheck € R-°, Uset < 

Variables X : discrete pc, an array of elements of PcValue indexed by / 

initially Vi 6 /. pc[i] = rem 
discrete a; G / U {-L} initially x =-L 

States Q : val{X) 

Actions A : external tryi,criti,exiti,remi 

internal testi, seti,checki,reseti where i € I 



Transitions V 



external tryi 
precondition 

rem 



pc[i\ ■■ 
effect 

pc\i] : 



test 



external crit, 
precondition 

pc[i] = leavetry 
effect 

pc[i] := crit 



internal testi 
precondition 

pc[i] = test 
effect 

if a: =-L then 

pc[i] := set 



external exiti 
precondition 

pc[i] = crit 
effect 

pc[i] := reset 



internal seti 
precondition 

pc[i] = set 
effect 

X := i 

pc[i] := check 

internal checki 
precondition 

pc[i] = check 
effect 

if X = i then 

pc[i] := leavetry 
else 

pc[i] := test 



internal reseti 
precondition 

pc[i] = reset 
effect 

x:=l. 

pc[i] := leaveexit 

external rerrii 
precondition 

pc[i] = leaveexit 
effect 

pc[i] := rem 



Trajectories T : 
Tasks C : 
Bounds B : 



{r € trajs{X) \ pc and a: constant in r} 

Vj € /. {seti}, {checki} 

Vj G /. lower{{seti}) = 0, upper{{seti}) = Uset 

Vj G /. lower{{checki}) = Icheck,, upper{{checki}) = oo 



Figure 13: FischerME with bounds 
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5.4.1 State Congruence 

Let A = {X, Q, ©, E, H, V, T) be a TA. An equivalence relation R C QxQ is a congruence 
for A if, for all actions a & {E U H) and trajectories t & T the following hold: 

1. If X i? y and x G © then y G ©. 

2. If X i? y and x — )■ x' then there exists a state y' such that y — )■ y' and x.' Ry' . 

3. If X _R y, and x — )■ x' then there exists a state y' and a trajectory r' such that 
y — > y' and x' R y' . 

The relation R partitions Q into equivalence classes. In the rest of this section, we use [x] 
to denote the equivalence class of x G Q, that is [x] = {y \ x R y}. 

5.4.2 Definition of the Untiming Operation 

Given a TA A = {X, Q, ©, E, H, V, T) and a congruence R C Q x Q for A, the untiming 
operation yields an untimed automaton Untime(.4, .R) = (Q' ,&' , E' ,H',V') where 

• Q' = {[x] I X G Q}. 

• ©' = {[x] I X G ©}. 

• E' = E. 

• H' = H (J {n} where tt is a special action representing time passage. 

• V CQ' X A' xQ' where A' = E' U H' such that 

1. s ^ s' eV if and only if there exists (x, a, x') G V where [x] = s and [x'] = s' . 

2. s ^ s' E V if and only if there exists t E T where r is closed, [r.fstate] = s 
and [r.lstate] = s'. 



Example 5.21 {\Jnt\me{AD, R)) In this example we define a congruence for the automa- 
ton AD from Example 4.19 and give the result of applying the untiming operation to 
AD by using this congruence. Let / be the set of intervals {(0, 1), (1, oo)}. Let R be an 
equivalence relation defined as follows, x i? y if the following conditions hold: 

1. x\Xd = y\Xd. 

2. For every x G Xc, either x{x),y{x) G J for some J G / or x{x) = y{x) = i for some 
integer i. 
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Figure 14: Untime(^i:', i?) 

3. For every z,w & Xc, x{z) > x(-u;) if and only if y(2;) > y{w). 

R is a congruence for the automaton AD from Example 4.19. Figure 14 contains a 
graphical representation of \Jnt\{r\e{AD,R). Each node in the graph represents a state 
of Untime(j4Z?, i?), that is, an equivalence class of states of AD with respect to R. The 
annotations within the nodes are used to define the equivalence class. For example, a node 
that is annotated with sq and x = y = denotes the set of states {x G Qad \ ^iloc) = 
So, :x-{x) = 0, and x(y) = 0}. 



5.4.3 Basic Results 

In this section we present some results that establish a correspondence between the exe- 
cutions of a TA and those of the corresponding untimed automaton. 

The lemma below states that the trace of discrete events in an execution fragment 
of a timed automaton is also exhibited by some execution fragment of the corresponding 
untimed automaton. 
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Lemma 5.22 Suppose A is a TA and R is a congruence for A. If a is an execution 
fragment of A, then Untime(v4, i?) has an execution fragment a' such that a' .fstate = 
[a.fstate] and trace{a') = actions {trace (a)). 

Proof: We consider the following cases: 

1. q; is an infinite sequence. 

Using axioms Tl and T2 we can write a as an infinite concatenation ao^ ai^ ■ ■ ■, 
in which each execution fragment Ofj is either a trajectory with ai.ltime > or a 
single discrete action surrounded by two point trajectories, and for every i > 0, 
ai-lstate = ai-^-i. fstate. 

We define a sequence ckq q;'^ • • • of execution fragments of Untime(^, R) such that 

(a) If tti is a trajectory, then o;^ = (s, tt, s') where s = [ai. fstate] and s' = [ai.lstate] 
(recall that we use [x] to denote the equivalence class of x with respect to R). 

(b) If Qfj is a single discrete action a surrounded by two point trajectories, then 

q;^ = {s,a,s') where s = [ai. f state], s' = [a^.tstate]. 

It is immediate from the definition of Untime(^, i?) in Section 5.4.2 that each o;^ 
constructed above is an execution fragment of Untime(^, i?) and that a'. fstate = 
[a.fstate] . By definitions of concatenation and execution fragments for untimed 
automata from Section 2.5 we have that ckq ^ q;'^ ^ • • • is an execution fragment 
of Untime(^, i?). By definitions of the operators trace for untimed automata from 
Section 2.5, and for timed automata from Section 4, and discrete from Section 3 we 
have trace{a') = actions (trace (a)), as needed. 

2. q; is a finite sequence ending with a closed trajectory. 
Similar to the first case. 

3. q; is a finite sequence ending with an open trajectory. 

The sequence a' can be constructed similarly to the first case except for the last 
trajectory Tn in a. Taking o;^ to be the empty sequence gives the required result. 



Corollary 5.23 Suppose A is a TA and R is a congruence for A. If a is an execution of 
A, then Untime(^, i?) has an execution a' such that trace{a') = actions {trace {a)) . 

Proof: Let a be an execution of A. We know by Lemma 5.22 that Untime(v4, R) has an 
execution a' such that trace{a') = actions (trace (a)) and a' .fstate = [a.fstate]. Since a is 
an execution of A, a.fstate G Q_^. Then by the definition in Section 5.4.2, a'. fstate G ©' 
and therefore a' is an execution of Untime(^, R), as needed. ■ 
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The following lemma states that, for every execution fragment a of Untime(^, K) and 
for every state x that is in the equivalence class respresented by the first state of a, it is 
possible to derive an execution fragment of A from x that exhibits the same discrete trace 
as Untime(^, R). 

Lemma 5.24 Suppose A is a TA and R is a congruence for A. If a is an execution 
fragment of Untime(^, i?) and x is a state of A such that [x] = a.fstate, then A has an 
execution fragment a' from x such that trace{a) = actions (trace (a' )) . 

Proof: 

1. a is an infinite sequence of the form sq ai sia2 S2 ■ ■ ■ 

The sequence a can be written as the concatenation ao '^ ai '^ a2 ■ ■ ■ of execu- 
tion fragments (sj, aj+i, Sj+i) for « > 0. We define a' inductively as the con- 
catenation Qfg ^ a'l ^ a2- ■ ■ where [aQ.fstate] = a.fstate and for every « > 0, 
a[.lstate = a[_^_i.fstate and [a[.lstate] = Sj as follows: 

(a) Qfg = p(x). By axiom TO, a^ is an execution fragment of ^. Since a'^Jstate = x 
by construction of QfQ and [x] = a.fstate by definition of x, we have [aQ.fstate] = 
a.fstate. Since a'^.lstate = x by construction of a'^ and [x] = a.fstate by 
definition of x and a.fstate = sq by the assumed structure of a we have 

[a'Q.lstate] = sq. 

(b) For « > 1, if ai-i is (si_i,ai,Si) where ai G {A' \ {tt}), then define a[ to 
be p{a[_i.lstate) Oi p{y) where {a[_i.lstate,ai,y) G V and [y] = Sj. We 
need to show that A has such an execution fragment a[. For « > 1, con- 
sider ai-i = {si-i,ai,Si). By definition of Untime(^, i?) in Section 5.4.2, 
there must be some (z,aj,z') G V such that [z] = Sj-i and [z'] = Sj. By 
inductive hypothesis [a[_i.lstate] = Si-i. Since [a[_i.lstate] = Si-i = [z] 
we know by the definition of state congruence in Section 5.4.1 that there 
exists y such that {a'j^_-^^.lstate,ai,y) G V and [y] = [z'] = Sj. Therefore, 
q;^ = p{a[_i.lstate) ai p(y) is an execution fragment of A where a[.fstate = 
a[_i.lstate and [a[.lstate] = Si. 

(c) For « > 1, if Qfj-i is (si_i,ai,Si) where ai is the tt action, then define a[ to be 
T where t & T, r.fstate = a[_i.lstate and [T.lstate] = Si. We need to show that 
A has such an execution fragment a[. For « > 1, consider ai-i = {si-i,ai,Si). 
By definition of Untime(^, i?) in Section 5.4.2, there must be some trajectory 
r' such that r' is closed, [r'.fstate] = Si-i and [r'.lstate] = .Sj. By inductive 
hypothesis [a[_i.lstate] = Si-i. Since [a[_i.lstate] = Si-i = [r'.fstate] we know 
by the definition of state congruence in Section 5.4.1 that there exists r where 
T.fstate = a[_i.lstate and [r.lstate] = Si = [t' .Istate]. Therefore, o;^ = r is an 
execution fragment of ^ where a[.fstate = a[_i.lstate and [a[.lstate] = Si. 
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By construction of a', we have a. f state = [a'. f state]. Since o^^.lstate = a'^j^^.f state 
for all « > 0, we know by Lemma 4.7 that a' = a^ ^' a'l ^' a'2 ■ ■ ■ is an execution 
fragment of ^. It is easy to check that trace{a) = actions {trace {a')). 

2. q; is a finite sequence of the form sq ai si 02 ^2 • • • Sn- 
The proof is similar to the previous case. 



Corollary 5.25 Suppose A is a TA and R is a congruence for A. If a is an execution of 
Untime(^, i?), and x is a state of A such that [x] = a.fstate, then A has an execution a' 
from X such that trace{a) = actions [trace [a')). 

Proof: Let a be an execution of Untime(^, i?) and x be a state of A such that [x] = 
a.fstate. By Lemma 5.24, we know that A has an execution fragment a' from x such that 
trace{a) = actions (trace (a')). Since a is an execution, a.fstate G ©'. By the definition of 
Untime(v4, R) in Section 5.4.2, we know that x G ©, and therefore a' is an execution of A, 
as needed. 



5.4.4 An Equivalence Relation for Alur-Dill Automata 

In [6, 4] Alur and Dill present a region construction technique that allows an infinite state 
space to be reduced to a finite state space by using an equivalence relation on states. 
Our untiming operation is based on a similar idea. It aims to reduce the state space by 
identifying those states that exhibit "equivalent" behavior. Our operation, however, does 
not use a fixed equivalence relation. Rather, it is parameterized by equivalence relations 
that meet our congruence criteria. 

In this section we formulate the equivalence relation of Alur and Dill presented in [6] 
in our framework and show that it is a congruence for an AD automaton under a certain 
set of assumptions. Recall that our definition of AD automata (see Section 4.3.2) does 
not impose any restrictions on the form of clock constraints. Adopting such a general 
definition and seeking a minimal set of assumptions required for the proof allows us to 
identify which restrictions were incorporated into the model of Alur and Dill mainly to 
ensure that the resulting region automata have a finite state space. 

Let A = {X, Q, ©, E, H, V, T) be an AD timed automaton where X is partitioned into 
two sets: X^ of discrete variables and Xc of clock variables. Let / be the set of intervals 
and P be the set of points in the time domain T = R defined as follows: 

l = {{ti,ti + i) \ti eN}. 
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P = N. 

Now, we define an equivalence relation ~ over Q. In our definition we use the notation 
/r(v) for the fractional part of a value v. Two states x, y G Q are related, written x ~ y, 
if the following conditions hold: 

1. ^\Xd = y\Xd. 

2. For every x G Xc, either {x{x),y{x)} C J for some J G / or x{x) = y{x) = i for 
some i G P. 

3. For every z,w E Xc, fr{x{z)) > /r(x(-u;)) if and only if /r(y(2;)) > .fr{y{w)). 

The first property in the definition of ~ requires that a discrete variable have the 
same value in two related states. The second property involves clock variables. If a clock 
variable has a value that falls between a pair of consecutive integers, then its value must 
be between the same integers in a related state. Likewise, if a clock variable has an integer 
value, it must have the same value in a related state. The third property states that the 
ordering of the fractional parts of different clock variables must be the same across related 
states. 

The following theorem states that the relation ~ defined above is a congruence for an 
AD automaton A if the same discrete actions canbe performed from two equivalent states 
with the same effect. 

Theorem 5.26 Assume for an AD automaton A that whenever x ~ y for two states 
X, y G Q, and x — )■ x' G "D, then there exists y — )■ y' G "D such that 

. ^'\Xd = y'\Xd. 

• For every x G X^ x.'{x) = if and only ify'{x) = 0. 

Then relation ^ is a congruence for A. 

Proof: We establish the three properties of congruence defined in Section 5.4.1 for the 
relation ~. 

1. Suppose x ~ y and x G ©. By definition of AD automata from Section 4.3.2, if 
X G © then for all x G X^, :x.{x) = 0. Since x ~ y, for all rr G C, we have y{x) = 0, 
and X \ Xd = y \ X^. It follows that x = y, and therefore y G © as needed. 

2. Suppose X ~ y and x — )■ x' where a is a discrete action. By assumption there exists 
y' such that y — )■ y'. It remains to show that x' ~ y'. We do this by establishing 
the three properties in the definition of ~. 
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(a) The first property is immediate from the assumptions. 

(b) For the second property, we are required to show that for all x & Xc, either 
x'(a;) and y'{x) are in the same interval or have the same integer value. We fix 
X and consider two cases: 

i. x'(a;) = 0. 

By assumption x.'{x) = if and only if y'(a;) = 0. Clearly, x'(a;) and y'{x) 
have the same integer value 0. 

ii. x'(a;) / 0. 

By definition of AD automata from Section 4.3.2, x.'{x) = x{x). Since 
x'(a;) = if and only if y'{x) = by assumption, we have y'{x) ^ 0, 
and by definition of AD automata we have y'{x) = y{x). Since x ~ y by 
hypothesis, y{x) and x(a;) are in the same interval. Since y'{x) = y{x) and 
x(a;) = x(a;'), x'(a:) and y'(a:) are in the same interval, as needed. 

(c) For the third property, we are required to show that for any z,w G C, the 
ordering between the fractional parts of z and w in x' is preserved in y'. For a 
fixed z and a fixed w consider the following cases: 

i. Neither z nor w is reset by action a. 

Then, x'{z) = x{z) and x.'{w) = x{w). Since x ~ y, we know that 
fr{x{z)) > /r(x(-u;)) if and only if /r(y(2;)) > .fr{y{w)). It follows that 
fr{x.'{z)) > fr{x.'{w)) if and only if /r(y'(2;)) > fr{y'{w)), as needed. 

ii. Both z and w are reset by action a. 

By assumption we have x'{z) = if and only if y'{z) = and x.'{w) = 
if and only if y'(i(;) = 0. Since fr{x.'{z)) = fr{x.'{w)) = fr{y'{z)) = 
fr{y'{w)) = 0, it is obvious that the ordering between the fractional parts 
of the clocks in x' is preserved in y'. 

iii. One of the clocks is reset by action a. 

Without loss of generality, let the clock that is reset be z. That is, x'{z) = 
and x.'{w) = x(-u;). Then, either fr{x.'{w)) = or fr{x.'{w)) / 0. First, 
suppose /r(x'(-u;)) = 0. Then, fr{x.'{z)) = fr{x.'{w)). Since /r(x'(-u;)) = 0, 
x.'{w) = V for an integer v. By case (b), we have y'{w) = v and hence 
fr{y'{w)) = 0. It follows that fr{y'{x)) = fr{y'{w)). Now, suppose that 
fr{x.'{w)) / 0. Then fr{x.'{z)) < fr{x.'{w)). By assumption which says 
for all X G Xc, x.'{x) = if and only if y'{x) = 0, we have y'{z) = 0. Since 
/r(x'(-u;)) 7^ 0, by the same assumption we get y'{w) 7^ 0. It follows that 
fr(y'(z)) < fr{y'{w)). Hence, we have shown that the ordering between 
the fractional parts of the clocks in x' is preserved in y'. 

3. Suppose X ~ y and x — )■ x' where r is a trajectory. We need to show that we can 
find trajectory r' such that x' ~ y' where y'{x) = y(a;) + t' .Itime for all x ^ X^. We 
do this by establishing the three properties in the definition of ~. 

(a) The first property is immediate from the assumption. 
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(b) For the second property, we are required to show that for all x & Xc, either 
x'(a;) and y'{x) are in the same interval or have the same integer value. We 
consider the following cases: 

i. Zero time passage (T.ltime = 0). 

Clearly, r' with t' Mime = results in y' = y. Since x ~ y by hypothesis, 

we have x' ~ y', as needed, 
ii. T.ltime > and r does not make any clock reach an integer boundary. 

A. Some clocks remain in the same interval. 

Let Cross be the set of clocks that crossed to a new interval and let 
NotCross be the set of clocks that did not cross to a new interval. We 
need to make sure that r' that we choose makes all elements of Cross 
cross to a new interval in y' and all elements of NotCross remain in the 
same interval, while preserving the ordering of fractional parts of clock 
values across two equivalent states. Consider the set {t — y{z) \ z G 
Cross, x.'{z) G (i, i + 1)} and define m to the maximum element of this 
set if it is non-empty and to be if it is empty. Now, consider the set 
{{t + l) — y{w) I w & NotCross, x{w),x.'{w) & {t,t + 1)} and deiine n 
to be minimum element of this set. It is easy to check that for any r' 
such that m < r'.ltime < n, property 2 holds for x' and y'. 

B. All clocks cross to a new interval. 

Let m,n G T be respectively, the maximum and minimum elements 
of the set {t — y{x) \ x.'{x) G {t,t + 1)}. Taking r' such that m < 
r'.ltime < n + 1 gives the required result, 
iii. T.ltime > and r makes some clocks reach an integer boundary. 

Let Reach be the set of clocks that reached an integer boundary. Observe 
that for any two elements z and w of Reach it must be the case that 
fr{x{z)) = /r(x(-u;)). Now, take some x G Reach and let m = {t — y{x)) 
where t = x.'{x). Any r' such that r'.ltime = m gives us the required 
result. It is clear that such a r' makes all the clocks in Reach reach an 
integer boundary. For any z G Reach and any clock w that has not reached 
an integer boundary in x', it must be the case that fr{x{z)) > /r(x(w;)). 
By hypothesis and the third property of ~, we also know that fr{y{z)) > 
fr{y{w)). It follows that w does not reach an integer boundary in y', 
as required. In the case where w is a clock that has crossed an integer 
boundary in x', we observe that fr{x{z)) < /r(x(-u;)) holds and conclude 
that the r' we have chosen makes w cross the same integer boundary in y'. 

(c) For the third property, we need to show that the r' we defined for each case 
above, ensures that the ordering between the fractional parts of the clocks in 
x' is preserved in y'. 

By property 2, which we have established for x' and y', we know that, for any 
x € Xc ii T leads to x.'{x) G J then r' has the same effect on y such that 
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y'{x) G J. Similarly, if r makes a clock cross reach an integer boundary in the 
evolution from x to x', that is x'(a;) = t then r' yields y'{x) = t. Since x ~ y, 
by property 3, we also know that the ordering between the fractional parts of 
clocks in x and y are the same. We know that in r' all the clocks increase by 
the same amount. It follows that the ordering between the fractional parts of 
clocks is the same in x' and y' are the same. 



6 Properties for Timed Automata 

In this section, we define what we mean by a property for a timed automaton, describe 
some types of properties that are typically specified and proved for systems, and state 
some results about composition of automata with properties. 

6.1 Definitions and Basic Results 

A property P for a timed automaton A is defined to be any subset of the execution 
fragments of ^. We write ea;ecs(^p) for the set of executions of ^ in P, traces i^j^^p^ for the 
set of traces of executions of A in P, and tracefrags rj^^p\ for the set of traces of execution 
fragments of A in P. 

6.1.1 Safety and Liveness Properties 

[[Nancy: We should ask Frits and Roberto to consider/approve the changed 
discussion of safety and liveness properties, and other significant changes we 
are making near the end of the paper.]] 

A property P for a TA A is said to be a safety property if it is closed under prefix and 
limits of execution fragments. In other words, if an execution fragment satisfies a safety 
property P, then so do all its prefixes, and if all the executions in a "chain" of successive 
extensions satisfy P, then so does the "limit" of the chain. Safety properties represent 
requirements that should be maintained by the system throughout its execution. 

We say that an automaton A satisfies a safety property S if every execution of A is in 
S. Typically, the satisfaction of a safety property by an automaton is proved by induction. 
One shows that the property holds in any trivial execution fragment consisting of a point 
trajectory and that it is preserved by discrete steps and trajectories of the automaton. 

A property P for A is defined to be a liveness property provided that for any closed 
execution fragment a of A, there exists an execution fragment (3 such that a'^ (3 & P. In 
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other words, no matter how A behaves for a finite period of time, it is still possible for it 
to continue in some way and satisfy P. 

We say that an automaton A satisfies a liveness property L if every "maximal" execu- 
tion of A (an execution a such that there exists no execution of which o; is a proper prefix) 
is in L. Typically, the proof of the satisfaction of a liveness property by an automaton 
involves the use of proof rules of a temporal logic, or progress functions from states to a 
well-founded set that measure the distance from the desired goal. 

These definitions of safety and liveness are analogous to those considered for untimed 
systems in [3, 8, 10], and have also been adopted in the few models for timed systems that 
have addressed the classification of properties as safety and liveness properties [36, 1]. In 
order to support the definitions for our model we establish the following results, stated 
formally in Theorems 6.1 and 6.4: (1) The classes of safety and liveness properties are 
disjoint, (2) Every property can be expressed as the intersection of a safety and a liveness 
property. 

The following theorem states that no property of a timed automaton can be both a 
safety and a liveness property, except for the special case where the property consists of 
all the execution fragments of the automaton. 

Theorem 6.1 Let A be a TA. If P is both a safety property and a liveness property for 
A, then P = frags j^^. 

Proof: Suppose that P is both a safety and a liveness property for A and let a be any 
execution fragment of A. We show a & P. Now consider the following cases: 

1. q; is a closed execution fragment. 

Then, since P is a liveness property, there exists (3 such that a^ (3 & P. Since P is 
also a safety property and is prefix-closed by definition, it must be that a & P. 

2. a is an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then, a can be expressed as the limit of a chain of closed execution fragments 
ao aia2 ■ ■ ■■ In case (1) we have established that for all « > 0, Ofj G P. Since P is a 
safety property, the limit of this chain, which is a, must be in P. 

Cases (1) and (2) together imply that P = frags j^^. ■ 

Let ^ be a TA and P be a property for A. We define safe{P) to be the prefix- and 
limit-closure of the property P. 

Lemma 6.2 Let A be a TA. For any property P for A, safe{P) is a safety property for 
A. 
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Proof: Immediate from the definitions of safe{P) and of a safety property. 



Lemma 6.3 Let A he a TA and P he a. property for A. If a is a closed execution fragment 
and a G safe{P) then a is a prefix of some element in P. 

The following theorem states that any property for an automaton can be expressed as 
the intersection of a safety and a liveness property for that automaton. 

Theorem 6.4 Let A he a TA. If P is a property for A, then there exists a safety property 
S and a liveness property L for A such that P = S (1 L. 

Proof: Let S = safe{P). By Lemma 6.2, we know that 5 is a safety property for A. 
Let L = P L\ {a \ o; G frags j^^, a is closed and no execution fragment of the forma ^ 
(3 is inP}. We now show that L is a liveness property. Let o; be a closed execution 
fragment of A. If there exists some execution fragment (3 oi A such that a^ (3 & P, then 
a'^ (3 & L because P C L. On the other hand, if there is no execution fragment (3 such 
that a^ (3 & P, then a is explicitly defined to be in L. Hence, we have shown that any 
closed execution fragment of A has an extension in L as needed. 

In order to conclude P = S (IL, we need to show that P C S CiL and that S (IL C P. 
P C S r\ L is immediate from the definitions of S and L. We now show that S (1 L C P. 
Let a be an execution fragment in 5 n L and suppose for the sake of contradiction that 
a ^ P. Since o; G L — P, by definition of L, a is closed and there exists no execution 
fragment (3 such that a'^ (3 & P. Since a & S and a is closed, by Lemma 6.3, a must be 
a prefix of an execution fragment in P. This gives the needed contradiction. ■ 



6.1.2 Machine-closure 

Consider a safety property S and a liveness property L for an automaton A. It is in 
general desirable that L does not itself impose safety constraints, beyond those already 
imposed by S. To achieve this, L should be defined so that every closed execution in 5 
can be extended to some execution that is in both S and L. The notion of machine-closure 
is used to formalize this condition. The pair of properties {S,L) is defined to be machine- 
closed provided that, for every closed execution fragment o; G 5, there exists (3 such that 
a^ (3 € SnL. 

Example 6.5 (A non-machine-closed pair of properties) Consider the timing- 
independent TA A, given in Figure 15, whose set of state variables consists of a single 
discrete variable countb, and whose set of trajectories is exactly the set of constant- valued 
functions over left-closed time intervals with left endpoint 0. The automaton A can per- 
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Automaton A 

Variables X : discrete countb G Z initially 

States Q : val{X) 

Actions A : external a, b 

Transitions V : external a 

precondition 

countb = 

external b 
effect 

countb := countb + 1 

Trajectories T : satisfies 

constant (countb) 



Figure 15: Machine closure 

form b any time and it can perform a provided that it has not performed b. Now, consider 
the Uveness property L for A that consists of all the executions with infinitely many dis- 
crete actions and the safety property S for A that consists of all the executions containing 
at most one b event. Then, since b disables all future as, the intersection of L and S 
contains all the executions of A with infinitely many a events and no b events. 

Now, consider a closed execution a in S whose last action is b. This implies that a 
has no extension that contains an a, since by assumption the occurrence of b disables a. 
The only way of extending a to an execution a^ a' that contains infinitely many discrete 
actions is to perform infinitely many 6s, but this would yield an execution a^ a' in L — S. 
Hence, the pair (5, L) is not machine-closed. ■ 

The above example illustrates that if a pair of safety and Uveness properties for an 
automaton is not machine-closed, then the automaton may exhibit an anomaly. Namely, 
after some prefixes, the automaton may not be able to meet its Uveness requirement 
without violating its safety requirement. This phenomenon has been observed in several 
studies on the classification of properties for untimed systems, including those by Dederichs 
and Weber [10], and Abadi and Lamport [1]. These studies suggest that the problem lies 
in defining the intended safety and Uveness properties independently from one another. 
If the above-mentioned anomaly is to be avoided, a pair of safety and Uveness properties 
need to be defined so that the pair is machine- closed. 

The following theorem states that a pair of a safety and a Uveness property for an 
automaton is machine-closed if the Uveness property is defined as a subset of the safety 
property. 
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Theorem 6.6 Let A be a TA, S be a safety property and L be a liveness property for A 
such that L C S. Then the pair {S,L) is machine-closed. 

Proof: Let a he a closed execution fragment in S. Since L is a liveness property for A, 
there exists (3 such that a^ (3 & L. Since L C S, we have that a^ (3 G S (1 L. Thus, 
(5, L) is machine-closed. ■ 

The fact that two properties are machine-closed can be formalized by using other 
conditions equivalent to those we used in our formal definition above. The first property 
in the following theorem states that a pair (5, L) is machine closed if S is the same as 
the prefix and limit closure of the intersection of S and L. The second property states 
that if the intersection of S and L is contained in a safety property, it must be the case 
that S itself is contained in the same safety property. That is, L does not add new safety 
constraints to those already defined by S. 

Theorem 6.7 Let S be a safety property and L be a liveness property for an automaton 
A. The pair (5, L) is machine closed iff either of the following holds: 

1. S = safe{SnL). 

2. If S' is a safety property and S Ci L C S' then S C S' . 

Proof: We show the following three implications: (1) if (5, L) is machine- closed then 
5 = safe{S n L), (2) if 5 = safe{S n L), then for any safety property S", Sr\L C S' implies 
S C S', and (3) if for every safety property S' , S (1 L C S' implies S C S', then (5, L) is 
machine- closed. 

1. Suppose (5, L) is machine-closed. In order to show that S = safe{S n L), we need 
to establish S C safe{S n L) and safe{S (1 L) C S. To establish S C safe{S n L) we 
take some a ^ S and consider the following two cases: 

(a) q; is a closed execution fragment. 

By the machine-closure assumption there exists /3 such that a'^ /3 G S Cl L. 
Since safe{S n L) contains all the prefixes of elements of SflL, o; G safe{S Ci L), 
as needed. 

(b) a is an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then a must be the limit of a chain of closed execution fragments aoai ■ ■ ■ in 
S. Since 5 is a safety property, every prefix of a is in S. Therefore for each «, 
we have Ofj G S. By case (a), for each each «, ai G safe{S n L). By definition of 
safe{S n L) the limit a is also in safe{S n L), as needed. 

To show safe{S Ci L) C S, take some a G safe{S fl L). We consider two cases: 
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(a) q; is a closed execution fragment. 

Then, by Lemma 6.3, a is a prefix of some element in 5 n L. That is to say, 
a ^ /3 G (5 n L) for some /3 and it follows that a'^ (3 & S. Since 5 is a safety 
property we have o; G 5, as needed. 

(b) a is an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then a must be the limit of a chain of closed execution fragments aoai ■ ■ ■ in 
safe{Sr\L). We have established in case (a) that each closed execution fragment 
Qfj is in S. Since 5 is a safety property, the limit a must also be in 5, as needed. 

2. Suppose S = safe{S Ci L). Let S" be a safety property such that S (1 L C S'. Let 
a E S and show that a £ S'. 

(a) q; is a closed execution fragment. 

Since S = safe{S n L) by assumption, a G safe{S Ci L), and since a is closed, 
by Lemma 6.3, o; is a prefix of some element in S (1 L. Since (S (1 L) C S' we 
have that o; is a prefix of some element of S'. Since S' is a safety property, 
aG S'. 

(b) a is an infinite sequence or a finite sequence ending with a right-open trajectory. 
Then a must be the limit of a chain of closed execution fragments aoai ■ ■ ■ 
in safe{S n L). We have established in case (a) that each closed execution 
fragment Ofj is in S' . Since S' is a safety property, the limit a must also be in 
5", as needed. 

3. Suppose that for every safety property S', SdL C S' implies S C 5'. We must show 
that for every closed execution fragment o; G 5, there exists (3 such that a'^(3 G SClL. 
Let q; be a closed execution fragment in S. By Lemma 6.2 we have that safe{S Ci L) 
is a safety property. Since 5 n L C safe{S n L), by assumption S C safe{S fl L). 
Since o; G 5, we have that a G safe{S fl L). Since a is closed, by Lemma 6.3, o; is a 
prefix of some element of 5nL. That is to say, there exists /3 such that a'^ j3 G 5nL, 
as needed. 



6.1.3 Special kinds of properties 

Fairness properties: Proving interesting liveness properties requires some assump- 
tions saying that certain activities in a concurrent system get "enough" chances to make 
progress. Fairness properties are special kinds of liveness properties that express such 
assumptions. We define two types of fairness: weak fairness and strong fairness. 

Let ^ be a TA and let C be a subset of the actions of A. Let a be an execution 
fragment of A. Then: 
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1. q; is weakly fair for C if (at least) one of the following conditions holds: 

(a) a contains infinitely many events from C. 

(b) There is no suffix (3 oi a such that C is enabled in all states of (3. 

2. a is strongly fair for C if (at least) one of the following conditions holds: 

(a) a contains infinitely many events from C. 

(b) There is some suffix (3 oi a such that C is disabled in all states of (3. 

Consider a finite execution fragment a. If a ends with a closed trajectory, the definition 
above says that for a to be weakly fair or strongly fair for C, C must be disabled in a.lstate. 
On the other hand, if a ends with a right-open trajectory, a is weakly fair provided that 
there are state occurrences with C disabled, at times arbitrarily close to a.ltime and a is 
strongly fair provided that C is continuously disabled from some point on in a. 

Theorem 6.8 Let A be a TA, C a subset of actions of A and a be an execution fragment 
of A. If a is strongly fair for C then a is weakly fair for C. 

Proof: Follows from the definitions of strong and weak fairness. ■ 

Theorem 6.9 For any timed automaton A and any subset C of its actions, the set of 
strongly fair execution fragments for C is a liveness property for A. 

Proof: Fix A a TA, C a subset of the actions of A and let o; be a closed execution 
fragment of A. We are required to show that for some (3, a ^ (3 is strongly fair for C. 
Construct an execution fragment /3 = q;o ^ Q;i ^ • • • as follows: 

• Qfo = p{a.lstate), 

• For each « > 1, if there exists {ai-i.lstate,b,y) G "D^ for some b & C and some 
y G Q^, then choose some such b and y and define Ofj = p{ai-i.lstate)bp{y): 
otherwise, « — 1 is the final index in the sequence. 

It follows that, if /3 is a finite sequence then C is disabled in its last state. Therefore, 
for some suffix of (3, C is disabled in all states and a^ (3 is strongly fair with respect to 
C. On the other hand, if (3 is an infinite sequence then a^ (3 has infinitely many events 
from C, as needed. ■ 

Corollary 6.10 For any timed automaton A and any subset C of its actions, the set of 
weakly fair execution fragments for C is a liveness property for A. 

Proof: Follows from Theorem 6.8 and Theorem 6.9. ■ 
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Admissibility: Admissibility is another notion that is fundamental to any useful formal 
model for timed systems. It is hard to think about executions such as those that arise from 
Zeno behavior, yet they make formal sense. Admissibility conditions help one to avoid 
considering such executions in reasoning about properties. The formal definition of admis- 
sibility is given in 3.4.1. Formally an execution fragment a is admissible ii a.ltime = oo. 



Theorem 6.11 A timed automaton A is feasible if and only if its set of admissible exe- 
cution fragments is a liveness property for A. 

Proof: Immediate from the definitions of feasibility and liveness property. ■ 



History-independence: History-independence is an important characteristic of prop- 
erties that simplifies the analysis of the behavior of an automaton. A property P of a 
timed automaton A is said to be history-independent provided that the following holds: 
For every execution fragment a, if a' is a suffix of a, then o; G P if and only if a' G P. 
In other words, whether or not a satisfies P is determined only by what happens in its 
suffixes — it is not affected by what happens in any initial portion of a. If a property P 
is known to be history-independent, then one can prove that an execution fragment a 
satisfies P by considering the portion of a from some point onward. 

The liveness properties that are typically used are history-independent. Fairness 
and admissibility properties defined earlier in the section constitute examples of history- 
independent properties, as shown in the following theorems. 

Theorem 6.12 For any timed automaton A, and any subset C of its actions, the set of 
weakly fair execution fragments for C is history-independent. 

Proof: Fix A a TA, C a subset of actions of A and let a = a' ^' a" with a' .Istate = 
a" .f state be an execution fragment of A. 

First, suppose that a is weakly fair for C. We are required to show that a" is also 
weakly fair with respect to C. By definition of weak fairness, either a contains infinitely 
many events from C, or it has no suffix in which C is enabled in all states. Since a" is a 
suffix of a, in either case we conclude that a" is weakly fair with respect to C by using 
the definition of weak fairness. 

Now, suppose that a" is weakly fair for C. We are required to show that a is also 
weakly fair with respect to C. Similar to the case above, this is easy to show by using the 
definition of weak fairness and the fact that a" is a suffix of a. ■ 

Theorem 6.13 For any timed automaton A, and a subset C of its actions, the set of 
strongly fair execution fragments for C is history-independent. 



Theorem 6.14 For any timed automaton A, the set of admissible execution fragments is 
history-independent. 

6.2 Implementation Relationships 

We define another preorder for automata with properties: 

• {Ai,Pi) < (^12,-^2) provided that traces (^j^^^p^-^ C traces i^^^^p^y 

If Pi is a Uveness property for a TA Ai and P2 is any property for a TA A2-, and 
(.4i,Pi) and (.42,-P2) are related by the preorder defined above, then every closed trace 
of Ai is also a trace of A2- This is shown in the following theorem. 

Theorem 6.15 Suppose that Pi is a Uveness property for Ai and P2 is any property for 
A2- If{Ai,Pi) < iA2,P2) then every closed trace of Ai is a trace of A2- 

Proof: Assume (^1, Pi) < (A2, P2) and let /3 be a closed trace of Ai- Let o; be a closed 
execution of Ai with trace{a) = (3. Since Pi is a liveness property of Ai, there exists an 
execution fragment a' of Ai such that o; ^ a' G Pi. 

Let /3' = trace (a '^ a'); then clearly /3' G traces (^j^^^p^y Then because (^i,Pi) < 
{A2, P2), we have that /3' G traces rj^^^p^y Since /3 is a prefix of /3' and the set of traces of 
A2 is prefix- closed, it follows that /3 is a trace of A2, as needed. ■ 

6.3 Simulation Relations 

As we have seen in Section 4.5, simulation relations provide a useful tool for reasoning 
about implementation relationships between automata at multiple levels of abstraction. 
The existence of a forward or a backward simulation relation, or a history or a prophecy 
relation, from one timed automaton A to another, B, is sufficient to establish that each 
trace of A is also a trace of B. 

For any TA A the set of all execution fragments of A, frags j^^, constitutes a safety 
property. This follows from the definition of a safety property in Section 6.1.1 by using 
the fact that frags j^ is prefix and limit closed. Suppose we define a safety property Si 
for an automaton A to be frags^^^ and a safety property ^2 for an automaton B to be 
frags j^. The existence of a forward simulation relation from A to B would imply that 
for any execution a & Si, there is an execution (3 & S2 such that trace (a) = trace{(3). 
However, the same implication does not in general hold, if we replace safety properties Si 
and ^2 with arbitrary liveness properties Li C Si and L2 C 52 for A and B, respectively. 
In [9] Attie adresses this issue in an untimed setting and proposes several notions of 
"liveness-preserving" simulation relations. The liveness properties that he considers are 
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of a special form that are analogous to the acceptance condition of a complemented-pairs 
automaton [7]. 

In the two theorems below, we consider the special classes of weak and strong fairness 
properties and state some extra constraints on forward simulation relations. The existence 
of a forward simulation relation from an automaton A to another B that satisfies these 
additional constraints allows us to conclude that the trace of each fair execution of A 
is also a trace of a fair execution of B. The constraints that we impose on the forward 
simulation relation for discrete steps turn out to be special cases of Attie's constraints [9]. 

Let A and B be comparable TAs. Let C^ be a set of actions of A and Cg be a set 
of actions of B. A fair forward simulation from A to B with respect to C^ and Cg is a 
relation R C Q^ x Qb satisfying the following conditions, for all states x^ and xg of A 
and B, respectively: 

1. If x^ G ©^ then there exists a state xg G ©g such that x^ R xg. Moreover, if C^ 
is disabled in x^, then Cg is disabled in xg. 

2. If x^ R xg and a is an execution fragment of A consisting of an action a surrounded 
by two point trajectories, with a.fstate = x^, then B has a closed execution fragment 
(3 such that p.fstate = xg, trace{/3) = trace{a), and a.lstate R p.lstate. Moreover, 

(a) If a G C^ then (3 contains some event in Cg. 

(b) If C^ is disabled in a.lstate then 

i. If /3 = p(xg) then Cg is disabled in xg. 
ii. If /3 / p(xb) then Cg is disabled in all states in (3 except possibly in xg. 

3. If x^ R xg and a is an execution fragment of A consisting of a single closed tra- 
jectory, with a.fstate = x^, then B has a closed execution fragment (3 such that 
p.fstate = xg, trace{j3) = trace{a), and a.lstate R p.lstate. Moreover, 

(a) If p.ltime = and C^ is disabled in x^ then Cg is disabled in all states in (3. 

(b) If p.ltime > then for all t such that < i < a.ltime, if C^ is disabled in 
a{t) then for each closed prefix (3' of (3 such that (3'.ltime = i, Cg is disabled in 
P'.lstate. 

We say that i? is a fair forward simulation from A to B, without mentioning C^ and 
Cb explicitly, when those sets are clear from the context. 

Now, we define a construction that, given two automata A and B, two sets of actions 
C^ and Cb, a fair forward simulation R from A to B, and an execution a of A, generates 
an execution (3 oi B hj using the definition of a fair forward simulation. 

Let A and B be two TAs, C^ and Cg be sets of actions for A and B, respectively, 
and i? be a fair forward simulation from AtoB with respect to C^ and Cg. Let a be an 
execution of A. The construction consists of the following steps: 

90 



1. Using axioms Tl and T2, write o; as a concatenation ao'^ai'^a2 • • • (ofo^ai^- • •'^cin 
if q; is a finite sequence ending with a closed trajectory), in which each execution 
fragment Ofj consists of either a single closed trajectory or one action surrounded by 
two point trajectories. Without loss of generality, we can assume that for each « > 0, 

ai-lstate = ai-^-i.f state. 

2. Define inductively a sequence /3o /3i • • • of closed execution fragments of B, such that 
Pojstate = xg for some xg G ©g and, for each «, ai.lstate R Pi.lstate, Pi.lstate = 
Pi+i. f state, and trace{ai) = trace{(3i). We use Properties 1 and 3 of a fair forward 
simulation in the construction of /3o, Property 2 in the construction of /3i consisting of 
one action surrounded by two point trajectories, and Property 3 in the construction 
of Pi consisting of a single closed trajectory. 

3. Let (3 be the concatenation /3o ^ /3i ^ • • •. 

For such /3, we say that (3 corresponds to a with respect to R, C^ and Cg. When 
R, C^ and Cg are clear from the context, we do not state their names explicitly. 

Lemma 6.16 Let A and B be two TAs, C^ and Cg he sets of actions for A and B, 
respectively, and R be a fair forward simulation from A to B with respect to C^ and Cg. 
Let a be an execution of A and (3 be an execution of B that corresponds to a. Suppose 
that a is expressed as ao^ ai^ ■ ■ ■ and j3 is expressed as Pq^ (3i^ ■ ■ ■ in the construction 
of p. Then, (3 satisfies the following properties: 

1. If C^ is disabled in ao.fstate, then Cg is disabled in (3o.fstate. 

2. For each a-i of the form p(x^) a p(x'4) let xg = (3i.fstate. Then, 

• If a E C^ then Pi contains some event in Cg. 

• // C^ is disabled in x^ then 

• If Pi = p(x_g) then Cjs is disabled in xg. 

• If Pi ^ p(xs) then Cjs is disabled in all states in Pi except possibly in xg. 

3. For each ai consisting of a single closed trajectory: 

• If Pi-ltime = and C^ is disabled in ai.f state then Cg is disabled in all states 
in Pi. 

• If Pi.ltime > then for all t such that < t < Ui.ltime, if C_a is disabled in 
ai{t) then for each closed prefix P[ of Pi such that Pi.ltime = t, Cg is disabled 
in P[.lstate. 

4. P is an execution of B such that trace{P) = trace{a). 
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Proof: Properties 1, 2 and 3 follow from the construction of /3 and the definition of a 
fair forward simulation relation. We show property 4 as follows. By Lemma 4.7, /3 is an 
execution fragment of B. By the construction of /3, Po.fstate = xg for some xg G ©g. 
Therefore, that (3 is an execution of B. By Lemma 3.9 applied to both a and /3, trace{P) = 

trace(a). ■ 



Lemma 6.17 Let A and B be two TAs, C^ and Cb he sets of actions for A and B, 
respectively, and R he a fair forward simulation from A to B with respect to C^ and Cb ■ 
Let a he an execution of A, and let (3 he an execution of B that corresponds to A. Then, 
if a contains infinitely many events from C^ it must he the case that (3 contains infinitely 
many events from Cb- 

Proof: We know that, in the construction of /3, a is expressed as ao ^ ai ^ ■ ■ ■ in 
which each execution fragment Ofj consists of either a single closed trajectory or one action 
surrounded by two point trajectories, and (3 is expressed as /3o ^ A ^ • • •• Suppose that a 
contains infinitely many events from C^. By property 2 of Lemma 6.16 in the construction 
of /3, we have that for each ai consisting of one action surrounded by two point trajectories, 
if Qfj contains a C^ event, then /3j contains a Cb event. Since there are infinitely many C^ 
events in a, there must be infinitely many Cb events in /3, as needed. ■ 

Lemma 6.18 Let A and B be two TAs, C^ and Cb he sets of actions for A and B, 
respectively, and R he a fair forward simulation from, A to B with respect to C^ and Cb- 
Let a he an execution of A that is a finite sequence ending with a closed trajectory, and let 
(3 he an execution of A that corresponds to a- Then, if C^ is disabled in a-lstate it must 
he the case that Cb is disabled in (3-lstate- 

Proof: We know that, in the construction of (3, a is expressed as q;o ^ q;i ^ ••• ^ Ofn in 
which each execution fragment Ofj consists of either a single closed trajectory or one action 
surrounded by two point trajectories and (3 is expressed as /3o ^ /3i ^ • • • ^ /3n- Suppose 
that C^ is disabled in a-lstate- Since a-lstate = an-lstate, we have that C^ is disabled in 
an-lstate- Now, consider the following cases: 

1. an is a single closed trajectory. 

Since C^ is disabled in an-lstate, by using property 3 in Lemma 6.16, we have that 
Cb is disabled in I3n-lstate- Since (3-lstate = (3n-istate, we have that Cb is disabled 
in (3.lstate, as needed. 

2. an is one action surrounded by point trajectories. 

Since C^ is disabled in an-lstate, by using property 2 in Lemma 6.16, we have that 
Cb is disabled in I3n-lstate- Since (3-lstate = I3n-lstate, we have that Cb is disabled 
in p.lstate, as needed. 
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Lemma 6.19 Let A and B be two TAs, C^ and Cg he sets of actions for A and B, 
respectively, and R he a fair forward simulation from A to B with respect to C^ and Cg . 
Let a he an execution of A such that a is an infinite sequence or a finite sequence ending 
with an open trajectory, and let (3 he an execution of B that corresponds to a. Then, if for 
some suffix a' of a, C^ is disabled in all states in a' , it must he the case that for some 
suffix P' of 13, Cjs is disabled in all states in 13' . 

Proof: We know that, in the construction of /3, a is expressed as q;o ^ q;i ^ ■ ■ ■ in 
which each execution fragment Ofj consists of either a single closed trajectory or one action 
surrounded by two point trajectories, and /3 is expressed as /3o ^ /3i ^ • • •• Suppose that 
for some suffix a' of a, C^ is disabled in all states in a' . Consider the following cases: 

1. For infinitely many « > 0, Ofj is an execution fragment consisting of an action sur- 
rounded by point trajectories. 

Without loss of generality we can assume that a' = ai'^ oa+i ^ • • • for some « > 
and a' is an infinite sequence starting with a discrete action surrounded by two point 
trajectories. Now, consider the corresponding execution fragment /3' = /3i^/3i_|_i^- • • 
of B. Let 13" be the suffix /3j_|_i ^ /3j_|_2 ^ • • • of /3'. Since C^ is disabled in all states 
in q;', C^ is disabled in ai.lstate. By property 2 of Lemma 6.16 we know that Cg 
is disabled in (3i.lstate. Then for each j > «, by properties 2 and 3 of Lemma 6.16, 
we know that Cg is disabled in all states in (3j, except possibly in (3j.fstate. Since 
for each j > i, (3j.fstate = (3j_i.lstate by the construction of (3, we know that Cg is 
disabled in all states of /3", which is a suffix of (3. 

2. For only finitely many « > 0, Ofj consists of an action surrounded by point trajectories. 
Then for all sufficiently large « > 0, Ofj consists of a single closed trajectory. Without 
loss of generality we can assume that a' = ai ^ Ofj+i ^ • • • for some sufficiently 
large « > and for each j > i, aj is a single closed trajectory. Now consider 
the corresponding execution fragment (3' = (3i ^ /Sj+i ^ • • •. Let (3" be the suffix 
/3i_l_i '^ /3i_|_2 ""^ • • • of /?'. Since Cj^ is disabled in all states in a', C^ is disabled 
in ai-lstate. Then, by property 3 of Lemma 6.16, we know that Cg is disabled in 
Pi-lstate and for each j > i, Cg is disabled in all states in (3j, except possibly in 
(3j.fstate. Since for each j > i, (3'-.fstate = (3',_-^^.lstate by the construction of (3, we 
know that Cg is disabled in all states of (3" , which is a suffix of (3. 



Lemma 6.20 Let A and B he two TAs, C^ and Cg be sets of actions for A and B, 
respectively, and R he a fair forward simulation from A to B with respect to Cj^ and Cg . 
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Let a be an execution of A such that a is an infinite sequence or a finite sequence ending 
with an open trajectory, and let (3 be an execution of A that corresponds to a. Then, if 
there is no suffix a' of a such that C^ is enabled in all states in a' it must be the case 
that there is no suffix (3' of (3 such that Cg is enabled in all states in (3'. 

Proof: We know that, in the construction of (3, a is expressed as q;o ^ q;i ^ • • • in 
which each execution fragment Ofj consists of either a single closed trajectory or one action 
surrounded by two point trajectories, and (3 is expressed as /3o ^ /3i ^ • • •• Suppose that 
there is no suffix a' of a such that C^ is enabled in all states in a'. This means that for 
infinitely many i > 0, C^ is disabled in some state of Ofj. Then, by properties 2 and 3 in 
Lemma 6.16, we know that for infinitely many « > 0, Cg is disabled in some state of (3i. 
This implies that (3 has no suffix in which Cg is enabled in all states. ■ 

The following lemma states that a fair forward simulation from A to B yields a corre- 
spondence for open trajectories. 

Lemma 6.21 Let A and B be comparable TAs, C^ and Cg be sets of actions of A and 
B respectively, and R be a fair forward simulation from A to B with respect to C^ and 
Cjs- Let x^ and xg be states of A and B, respectively, such that x^ R xg. Let a be an 
execution fragment of A from state x^ consisting of a single open trajectory r. Then B 
has an execution fragment (3 with (3.fstate = xg and trace{(3) = trace{a). Moreover, (3 
satisfies the following condition: for all t such that < t < r.ltime, if C^ is disabled in 
T{t) then for each prefix (3' of (3 such that (3'.ltime = t, Cs is disabled in (3'.lstate. 

Proof: Let r be the single open trajectory in a. Using axioms Tl and T2, we construct 
an infinite sequence tq n ... of closed trajectories of A such that r = tq ^ n ^ • • •. Then, 
working recursively, we construct a sequence (3o (3i ... of closed execution fragments of 
B such that (3o.fstate = xg and, for each «, Ti.lstate R (3i.lstate, (3i.lstate = (3i+i .f state , 
trace{Ti) = trace{(3i), and the following fairness condition holds: for all t such that < 
t < Ti-ltime, if C^ is disabled in Ti{t) then for each prefix (3^ of (3i such that j3[.ltime = i, 
Cjs is disabled in (3'^.lstate. This construction uses induction on «, using Property 3 of the 
definition of a fair forward simulation in the induction step. Now let (3 = (3o^ (3i^ ■ ■ ■. By 
Lemma 4.7, (3 is an execution fragment of B. Clearly, (3.fstate = xg. By Lemma 3.9 applied 
to both a and (3, trace{(3) = trace{a). Using Property 3 for each /3j, and the inductive 
hypothesis (3i.lstate = (3i+i.fstate, we have that for all t such that < i < r.ltime, if C^ 
is disabled in T(i) then for each prefix (3' of (3 such that (3'.ltime = t, Cg is disabled in 
(3' .Istate. Thus (3 has the required properties. ■ 

Theorem 6.22 Suppose that R is a fair forward simulation relation from A to B with 
respect to a set Cj{ of actions of A and a set Cg of actions of B. Let Lj{ be the set of 
strongly fair executions of A for C^ and let Lg be the set of strongly fair executions of B 
for Cb- Then {A,Lj^) < {B,Lb). 
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Proof: Let a be an execution of A such that a G L^ and let /3 be an execution fragment 
of B that corresponds to a with respect to i?, C^ and Cg. By property 4 in Lemma 6.16 
we know that /3 is an execution of B such that trace{a) = trace{(3). We show that /3 G Lg 
by considering the following cases: 

1. a contains infinitely many events from C^. 

By Lemma 6.17, we know that /3 has infinitely many events from Cjs- Then, by 
definition of strong fairness /3 G Lbj as needed. 

2. For some suffix a' of a, C^ is disabled in all states in a' . 

(a) a is either an infinite sequence or a finite sequence ending with an open trajec- 
tory. 

Then, by Lemma 6.19, we have that Cg is disabled in all states in some suffix 
of /3. Then, by definition of strong fairness /3 G Lg, as needed. 

(b) q; is a finite sequence ending with a closed trajectory. 

By Lemma 6.18, we have that Cg is disabled in p.lstate. Since p.lstate is a 
suffix of /3, by definition of strong fairness /3 G Lg, as needed. 



Theorem 6.23 Suppose that R is a fair forward simulation relation from A to B with 
respect to a set C^ of actions of A and a set Cg of actions of B. Let L^ he the set of 
weakly fair executions of A for C^ and let Lg he the set of weakly fair executions of B for 
Cb- Then {A,L^) < {B,Lb). 

Proof: Let a be an execution of A such that a G L^ and let (3 be an execution fragment 
of B that corresponds to a with respect to R, C^ and Cg. By property 4 in Lemma 6.16 
we know that /3 is an execution of B such that trace{a) = trace{(3). We show that /3 G Lg 
by considering the following cases: 

1. a contains infinitely many events from C^. 

By Lemma 6.17, we know that /3 has infinitely many events from Cg. Then, by 
definition of weak fairness /3 G Lg, as needed. 

2. There is no suffix a' of a such that C^ is enabled in all states in a' . 

(a) a is either an infinite sequence or a finite sequence ending with an open trajec- 
tory. 

Then, by Lemma 6.20, we have that there is no suffix /3' of (3 such that Cg is 
enabled in all states in /3'. By definition of weak fairness (3 G Lg, as needed. 
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(b) q; is a finite sequence ending with a closed trajectory. 

By Lemma 6.18, we have that Cg is disabled in p.lstate. Therefore, (3 cannot 
have any suffix in which Cg is enabled in all states. Then, by definition of weak 
fairness /3 G Lg, as needed. 



It would have been possible to prove Theorem 6.23 for a slightly different notion of 
fair forward simulation obtained by weakening Property 3 of the current definition. The 
current definition requires that the disabling is carried over from the low-level automaton 
to the high-level one for all states in a trajectory, except for the first state of trajectories 
with limit time greater than zero. For proving Theorem 6.23, it would have been sufficient 
to require that the disabling be carried over for some states only. 

6.4 Composition 

This section includes results that are essential for compositional reasoning about timed 
automata with properties. They are specializations of the similar results in Section 5.1. 

6.4.1 Definitions and Basic Results 

If Ai and A2 are two compatible timed automata and Pi and P2 are properties for Ai 
and A2, respectively, then we define -P1II-P2 to be {a G /ra^^^ im^ I ^ li^zT^i) & Pi,i & 
{1, 2}}. Using this, we define composition of automata with properties (Ai, Pi)||(.42, P2) 

as {Al\\A2,Pl\\P2). 

Theorem 6.24 Let Ai and A2 be two compatible TAs and Pi and P2 be properties for Ai 
and A2, respectively. Then ^™ces(^^|j^2,Pi||P2) *^ exactly the set of {E,$)- sequences whose 
restrictions to Ai and A2 are traces (^j^^ ^p^^ and traces i^j^^^p^^, respectively. That is, 

iraces(^j|M2,Pi||P2) = {/3 | /3 «5 an {E,^) -sequence and /3 [(£'i,0) G traces rj^.^p.\,i G {1,2}}. 

Proof: Follows from definition of composition of automata with properties and Theo- 
rem 5.4. ■ 



6.4.2 Substitutivity Results 

Theorem 6.25 Suppose that Ai, A2, and B are TAs, Ai and A2 have the same external 
actions, and each of Ai and A2 is compatible with B. Suppose that Pi, P2, and Q are 
properties for Ai, A2, and B, respectively. If{Ai,Pi) < iA2,P2) then {Ai,Pi)\\{B,Q) < 
{A2,P2mB,Q). 
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This theorem can be strengthened with two corollaries. 

Corollary 6.26 Suppose Ai, A2, Bi, and B2 are TAs, Ai and A2 have the same external 
actions, Bi and B2 have the same external actions, and each of Ai and A2 is compatible 
with each of Bi and B2- Suppose that Pi and Qi are properties for Ai and Bi, respectively 
fori G {1,2}. If{Ai,Pi) < {A2,P2) and {Bi,Qi) < (^2,^2) then (^1, Pi)||(Bi, Qi) < 
{A2,P2mB2,Q2). 

Corollary 6.27 Suppose Ai, A2, Bi, and B2 are TAs, Ai and A2 have the same external 
actions, Bi and B2 have the same external actions, and each of Ai and A2 is compatible 
with each of Bi and B2- Suppose that Pi and Qi are properties for Ai and Bi, respectively 
fori G {1,2}. If{Ai,PimB2,Q2) < {A2,P2mB2,Q2) and {Bi,Qi) < (^2,^2) then 

(^l,Pl)||(Bl,Qi)< (^2,^2)11(^2, Q2). 

7 Timed I/O Automata 

In this section we refine the timed automaton model of Section 4 by distinguishing between 
input and output actions. Typically, an interaction between a system and its environment 
is modeled by using output and input actions to represent, respectively, the external events 
under the control of the system and the environment. We extend the results on simulation 
relations and composition from Sections 4 and 5 to this new setting. We also introduce 
special kinds of timed I/O automata: I/O feasible, progressive, and receptive TIOAs. 

7.1 Definition of Timed I/O Automata 

A timed I/O automaton (TIOA) ^ is a tuple (B, /, O) where 

• B = {X, Q, ©, E, H, V, T) is a timed automaton. 

• I and O partition E into input and output actions, respectively. Actions in L = 
H UO are called locally controlled; as before we write A = E U H. 

• The following additional axioms are satisfied: 

El (Input action enabling) 

For every x G Q and every a G /, there exists x' G Q such that x — )■ x'. 

E2 (Time-passage enabling) 

For every x G Q, there exists r G T such that r.fstate = x and either 

1. T.ltime = 00, or 

2. T is closed and some / G L is enabled in r.lstate. 
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Input action enabling is the input enabling condition of ordinary I/O automata; it says 
that a TIOA is able to perform an input action at any time. The time-passage enabling 
condition says that says that a TIOA either allows time to advance forever, or it allows 
time to advance for a while, up to a point where it is prepared to react with some locally 
controlled action. Because TIOAs have no external variables. El and E2 are slightly 
simpler than the corresponding axioms for HIOAs. 

Notation: As we did for TAs, we often denote the components of a TIOA A by 
Ba, Ia, Oa, Xa, Qa, 0^5 etc., and those of a TIOA At by i?i, /j, Oi, . . . , Xi, Qi, ©j, etc. 
We sometimes omit these subscripts, where no confusion is likely. We abuse notation 
slightly by referring to a TIOA ^ as a TA when we intend to refer to Ba- 

Example 7.1 (TAs viewed as TIOAs) The automaton TimedChannel{b, M) described 
in Example 4.1 can be turned into a TIOA by classifying the send actions as inputs, and 
the receive actions as outputs. Since there is no precondition for send actions, they are 
enabled in each state, so clearly the input enabling condition El holds. It is also easy to 
see that axiom E2 holds: in each state either queue is nonempty, in which case a receive 
output action is enabled after a point trajectory, or queue is empty, in which case time 
can advance forever. 

The automaton ClockSync{u,p)i of Example 4.6 can be turned into a TIOA by classi- 
fying the send actions as outputs, and the receive actions as inputs. Axiom El then holds 
trivially. Axiom E2 holds since from each state either time can advance forever, or we have 
an outgoing trajectory (possibly of length 0) to a state in which physclock = nextsend, 
and from there a send output action is enabled. ■ 



7.2 Executions and Traces 

An execution fragment, execution, trace fragment, or trace of a TIOA A is defined to 
be an execution fragment, execution, trace fragment, or trace of the underlying TA Ba, 
respectively. 

We say that an execution fragment of a TIOA is locally-Zeno if it is Zeno and contains 
infinitely many locally controlled actions, or equivalently, if it has finite limit time and 
contains infinitely many locally controlled actions. 

7.3 Special Kinds of Timed I/O Automata 

7.3.1 Feasible and I/O Feasible TIOAs 

A TIOA A = (B, I, O) is defined to be feasible provided that its underlying TA B is feasible 
according to the definition given in Section 4.3.1. As noted in Section 4.3.1, feasibility is a 
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basic requirement that any TA (or TIOA) should satisfy. I/O feasibiUty is a strengthened 
version of feasibiUty that take inputs into account. It says that the automaton is capable of 
providing some response from any state, for any sequence of input actions and any amount 
of intervening time-passage. In particular, it should allow time to pass to infinity if the 
environment does not submit any input actions. Formally, we define a TIOA to be I/O 
feasible provided that, for each state x and each (7, 0)-sequence /3, there is some execution 
fragment a from x such that a [(/, 0) = (3. That is, an I/O feasible TIOA accommodates 
arbitrary input actions occurring at arbitrary times. The given (7, 0)-sequence (3 describes 
the inputs and the amounts of intervening times. 

7.3.2 Progressive TIOAs 

A progressive TIOA never generates infinitely many locally controlled actions in finite 
time. Formally, a TIOA A is progressive if it has no locally- Zeno execution fragments. 

The following lemma says that any progressive TIOA is capable of advancing time 
forever. 

Lemma 7.2 Every progressive TIOA is feasible. 

Proof: Let ^ be a progressive TIOA and let x be a state of A. Since ^ is a TIOA it 
satisfies axiom E2. We construct an admissible execution fragment a = ao^ ai^ a2- • • 
from X as follows. 

1. Qfo = p(x). 

2. For each « > 0, 

(a) If there exists a trajectory r from ai-i.lstate such that T.ltime = oo then ai is 
the final execution fragment in the sequence and a-i = r. 

(b) Otherwise, let tj be a closed execution fragment from ai-i.lstate such that I G L 
is enabled in Ti.lstate. Define ai = Tilri+i where tj+i = p(y) and Ti.lstate — )■ y. 

The above construction either ends after finitely many stages such that the last tra- 
jectory of a is admissible, or goes through infinitely many stages such that a contains 
infinitely many local actions. In the former case, we know that a is admissible since it 
ends with an admissible tracjectory. In the latter case, since A is progressive, the fact 
that a has infinitely many local actions implies that a is admissible, as needed. ■ 

The following lemma says that a progressive TIOA is capable of allowing any amount 
of time to pass from any state. 
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Lemma 7.3 Let A be a progressive TIOA, let x be a state of A, and let r G trajs{^). 
Then there exists an execution fragment a of A such that a.fstate = x and a [(/, 0) = r. 

Proof: The result follows from the construction used in the proof of Lemma 7.2. Let 
a be an admissible execution fragment from x constructed as in the proof of Lemma 7.2. 
Let a' be a prefix of a such that a' [(0,0) = r. Since our construction uses no actions 
from 7, we have a' \{I, 0) = a' [(0, 0) = r, as needed. ■ 

The following theorem says that a progressive TIOA is capable not just of allowing 
arbitrary amounts of time to pass, but of allowing arbitrary input actions at arbitrary 
times. 

Theorem 7.4 Every progressive TIOA is I/O feasible. 

Proof: Let ^ be a progressive TIOA, let x be a state of A, and let (3 = tq ai ti a2T2 ■ ■ ■ 
be an (7, 0)-sequence. We construct a finite or infinite sequence aoai ... of execution 
fragments such that: 

1. ao-f state = x. 

2. For each nonfinal index «, ai-lstate = ai^i.fstate. 

3. For each «, (ao ^ ai^ ■ ■ ■ ^ Ofj) [(7, 0) = tq ai ri . . . tj. 

The construction is carried out recursively. To define ao, we start with x and use 
Lemma 7.3 to span tq. For « > 0, we define Ofj by starting with ai-i.lstate, using axiom 
El to perform the input action ai and move to a new state and then using Lemma 7.3 to 
span Tj. 

Let q; = Qfo ^ Qfi ^ • • •. By Lemma 3.8, a is an execution fragment of A from x such 
that a [(7, 0) = /3, as needed. 



7.3.3 Receptive Timed I/O Automata 

In this section, we define the notion of receptiveness for TIOAs. A TIOA will be defined 
to be receptive provided that it admits a strategy for resolving its nondeterministic choices 
that never generates infinitely many locally controlled actions in finite time. This notion 
has an important consequence: A receptive TIOA provides some response from any state, 
for any sequence of discrete input actions at any times. This implies that the automa- 
ton has a nontrivial set of execution fragments, in fact, it has execution fragments that 
accommodate any inputs from the environment. The automaton cannot simply stop at 
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some point and refuse to allow time to elapse; it must allow time to pass to infinity if the 
environment does so. Previous studies of receptiveness properties include [12, 1, 36, 24]. 
The notion of receptiveness for TIOAs as discussed here is a special case of the same notion 
for HIOAs [22]. 

We build our definition of receptiveness on our earlier definition of progressive TIOAs. 
Namely, we define a strategy for resolving nondeterministic choices, and define receptive- 
ness in terms of the existence of a progressive strategy. 

We define a strategy for a TIOA ^ to be a TIOA A' that differs from A only in that 
V' CV and T' C T. That is, we require: 

• V CV. 

• T'CT. 

• X = X',Q = Q',e = e', E = E', H = H',I = r, and O = O'. 

Our strategies are nondeterministic and memoryless. They provide a way of choosing some 
of the evolutions that are possible from each state x of A. The fact that the state set Q' 
of A' is the same as the state set Q oi A implies that A' chooses evolutions from every 
state of A. 

Notions of strategy have been used also in previous studies of receptiveness [12, 1, 
36, 24]. However, in these earlier works, strategies have been formalized using two-player 
games rather than automata. Defining strategies using automata allows us to avoid intro- 
ducing extra mathematical machinery. 

Lemma 7.5 // A' is a strategy for A, then every execution fragment of A' is also an 
execution fragment of A. 

We define a TIOA to be receptive if it has a progressive strategy. The following theorem 
says that any receptive TIOA can respond to any inputs from the environment. 

Theorem 7.6 Every receptive TIOA is I/O feasible. 

Proof: The proof is similar to that of the corresponding theorem for HIOAs [22]. ■ 

Example 7.7 (Progressive and receptive TIOAs) The time-bounded channel au- 
tomaton described in Example 4.1 is not progressive since it allows for an infinite execution 
in which send and receive actions alternate without any passage of time in between. The 
time-bounded channel automaton is receptive, however, as we may construct a progressive 
strategy for it by adding a condition u = now to the precondition of the receive action. 
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In this way we enforce that the channel operates maximally slow and messages are only 
delivered at their delivery deadline. The clock synchronization automaton of Example 4.6 
is progressive (and therefore receptive) since it can only generate a locally controlled ac- 
tion each time its physical clock advances by u time units and the real time that elapses 
between two locally produced actions is at least u{l — p) time units. ■ 



7.4 Implementation Relationships 

Two TIOAs Ai and A2 are comparable if their inputs and outputs coincide, that is, if 
/i = I2 and Oi = O2. If Ai and A2 are comparable, then Ai < A2 is defined to mean 
that the traces of .4i are included among those of .42: Ai < A2 = traces^^ C traces^^. 

Lemma 7.8 Let Ai, A2 be two comparable TIOAs and let Bi, B2 be, respectively, the 
underlying TAs for Ai and A2- Then Bi and B2 are comparable and Ai < A2 iff Bi < B2- 

Proof: Immediate from the definitions. ■ 



7.5 Simulation Relations 

The definition of forward simulation for TIOAs is the same as for TAs. Formally, if 
Ai = {Bi,Ii,Oi) and A2 = iB2, 12,02) are two comparable TIOAs, then a forward 
simulation from Ai to A2 is a forward simulation from Bi to B2 ■ 

Theorem 7.9 // Ai and A2 are comparable TIOAs and there is a forward simulation 
from Ai to A2, then Ai < A2- 

The definitions and results about backward simulations, history and prophecy relations 
for timed automata from Section 4 carry over to timed automata with input and output 
distinction in a similar fashion. 



8 Operations on Timed I/O Automata 

8.1 Composition 

In this section, we define the operations of composition and hiding and present projec- 
tion, pasting and substitutivity results for TIOAs. We revisit the special kinds of TIOAs 
introduced in Section 7 and show that the classes of progressive and receptive timed I/O 
automata are closed under composition, while this is not true for the class of I/O feasible 
automata. 
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8.1.1 Definitions and Basic Results 

The definition of composition for TIOAs is based on the corresponding definition for TAs, 
but also takes the input/output structure into account. We say that TIOAs Ai and A2 
are compatible if, for i ^ j , Xi (1 Xj = Hi (1 Aj = OidOj = $. 

Lemma 8.1 If Ai = {Bi,Ii,Oi) and A2 = (-62,12,02) are compatible TIOAs, then Bi 
and B2 are compatible TAs. 

li Ai and A2 are compatible TIOAs then their composition Ai\\A2 is defined to be the 
tuple A = {B, /, O) where 

. B = Bi\\B2, 

• i = {hu I2) - (Oi u O2) 

• o = Oi u O2. 

Thus, an external action of the composition is classified as an output if it is an output of 
one of the component automata, and otherwise it is classified as an input. The composition 
of two TIOAs is guaranteed to be a TIOA: 

Theorem 8.2 If Ai and A2 are TIOAs then Ai\\A2 is a TIOA. 

Proof: The proof is straightforward except for showing that Axiom E2 is satisfied by the 
composition. Let x be a state of ^i||^2- We need to show the existence of a trajectory 
from X that satisfies E2. 

By definition of ^i||^25 x [Xi is a state of Ai and x \ X2 is a state of A2- We know 
that both Ai and A2 satisfy E2. Let ri be a trajectory of ^1 with Ti.f state = x [Xi that 
satisfies E2, let T2 be a trajectory of A2 with T2.fstate = -x.\ X2 that satisfies E2, and 
consider the following cases: 

1. Ti.ltime = 00 and T2.ltime = 00. 

Then, define r such that t ^ Xi = ri and r | X2 = T2. 

2. Ti.ltime = 00 and T2 is closed where some I & L2 is enabled in T2.lstate. 
Then, define r such that t ^ Xi = ri [ dom{T2) and r | X2 = T2. 

3. Ti is closed where some / G Li is enabled in ri.lstate and T2.ltime = 00. 
Then, define r such that t ^ Xi = ri and r | X2 = T2 [ dom{Ti). 
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4. Ti is closed where some / G Li is enabled in ri.lstate and T2 is closed where some 
/ G L2 is enabled in T2-lstate. 

If (iom(Ti) C dom{T2), then define r such that t I Xi = ti and r 4 X2 = 
T2 [ (iom(Ti). Otherwise, define r such that r | Xi = ri [ dom{T2) and r | X2 = T2. 

In all the cases, by definition of trajectories for a TIOA, r is a trajectory of ^i||^2 from 
X, which satisfies E2 by construction. 



Note that this theorem is stronger than the corresponding theorem (Theorem 6.12 
in [22]) for general HIOAs. Two HIOAs Ai and A2 are required to be "strongly compati- 
ble" for their composition to be a hybrid I/O automaton. This extra condition is needed 
to rule out dependencies among external variables that may prevent the component au- 
tomata from evolving together. The absence of external variables in TIOA eliminates this 
kind of problematic behavior. Thus, for the timed case, we do not require the notion of 
strong compatibility that was needed for the hybrid case. 

Composition of TIOAs satisfies the following projection and pasting result, which 
follows from Theorem 5.4. 

Theorem 8.3 Let Ai and A2 be comparable TIOAs, and let A = Ai\\A2- Then traces^ 
is exactly the set of {E,^) -sequences whose restrictions to Ai and A2 are traces of Ai 
and A2, respectively. That is, traces j{ = {13 \ 13 is an {E,$) -sequence and j3 \{E.iS) G 
traces Jl^^,i = {1,2}}. 

8.1.2 Substitutivity Results 

The following theorem is analogous to Theorem 5.8 for TAs without input/output distinc- 
tion. It shows that the introduction of the input/output distinction does not cause any 
changes to the substitutivity results we obtained for general TAs. 

Theorem 8.4 Suppose Ai and A2 are comparable TIOAs with Ai < A2- Suppose that B 
is a TIOA that is compatible with each of Ai and A2- Then Ai\\B < A2\\B. 

The corollaries below follow from the Corollaries 5.9 and 5.10 of Theorem 5.8. 

Corollary 8.5 Suppose Ai, A2, Bi, and B2 are TIOAs, Ai and A2 are comparable, Bi 
and B2 are comparable, and each of Ai and A2 is compatible with each of Bi and B2- If 
Ai < A2 and Bi < B2 then Ai\\Bi < A2\\B2. 

Corollary 8.6 Suppose Ai, A2, Bi, and B2 are TAs, Ai and A2 are comparable, Bi 
and B2 are comparable, and each of Ai and A2 is compatible with each of Bi and B2- If 

Ai\\B2 < A2\\B2 and Bi < B2 then Ai\\Bi < A2\\B2. 
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The basic substitutivity theorem, Theorem 8.4, is desirable for any formaUsm for in- 
teracting processes. For design purposes, it enables one to refine individual components 
without violating the correctness of the system as a whole. For verification purposes, it 
enables one to prove that a composite system satisfies its specification by proving that 
each component satisfies its specification, thereby breaking down the verification task into 
more manageable pieces. However, it might not always be possible or easy to show that 
each component Ai (resp. Bi) satisfies its specification A2 (resp. B2) without using any 
assumptions about the environment of the component. Assume- guarantee style results 
such as those presented in [19, 33, 38, 1, 2, 18, 39] are special kinds of substitutivity re- 
sults that state what guarantees are expected from each component in an environment 
constrained by certain assumptions. Since the environment of each component consists of 
the other components in the system, assume-guarantee style results need to break the cir- 
cular dependencies between the assumptions and guarantees for components. We present 
below two assume-guarantee style theorems Theorem 8.7 and Corollary 8.8, which can be 
used for proving that a system specified as a composite automaton v4i||Bi implements a 
specification represented by a composite automaton ^2 1 1 -62 . 

The main idea behind Theorem 8.7 is to assume that Ai implements A2 in a context 
represented by B2, and symmetrically that Bi implements B2 in a context represented 
by A2 where A2 and B2 are automata whose trace sets are closed under limits. The 
requirement about limit-closure implies that A2 and B2 specify trace safety properties. 
Moreover, we assume that the trace sets of A2 and B2 are closed under time-extension. 
That is, the automata allow arbitrary time-passage. This is the most general assumption 
one could make to ensure that ^2||'S2 does not impose stronger constraints on time-passage 
than ^i||Bi. Note that the definitions of limit and time extension of a hybrid sequence 
can be found in Section 9.2. 

Theorem 8.7 Suppose Ai, A2, Bi, B2 are TIOAs such that Ai and A2 are comparable, 
Bi and B2 are comparable, and Ai is compatible with Bi for i G {1,2}. Suppose further 
that: 

1. The sets traces ^.^ and traces B2 are closed under limits. 

2. The sets traces^,^ and tracesB2 are closed under time-extension. 

3. Ai\\B2 < A2\\B2 and A2\\Bi < A2\\B2. 

ThenAiWBi < A2\\B2. 

Proof: We first prove by induction on the length of traces of v4i||Bi that every closed 
trace of ^i||Bi is a trace of ^2 1 1 -62. 

For the base case, let /3 be a trace of ^i||Bi such that /3 G trajs{9) (a single trajectory 
over the empty set of variables). By Axiom TO in the definition of a TA, we know that 
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A2 and B2 have traces ai and 012 such that ai.ltime = a2-ltime = 0. By Assumption 2 we 
have q;i'~~/3 G traces _^^ and 012 ""^ /3 G tracesB2- Since, ai^ (3 = (3 and q;2'~~/3 = /3, it follows 
that (3 G iraces^2 ^^^ P ^ tracesB2- By pasting using Theorem 8.3, /3 G iraces^2||B2' ^^ 
needed. 

For the inductive step we consider the following cases: 

1. /3 = /3' a T, where a is an output action of Ai and r is a point trajectory. 

Then (3 [(-E^i, 0) G traces_^^ by projection using Theorem 8.3. By inductive hypoth- 
esis, (3' G iraces^2 ||B2- So /3' [(£'^2,0) G tracesB2, by projection using Theorem 8.3. 
Let a be an execution of B2 such that trace{a) = (3' [(£'^2,0)- Since Ai and Bi 
are compatible TIOAs, Bi and B2 are comparable, and a is an output action of 
Ai, we know that either a is an input action of B2 or the action set of B2 does 
not contain a. In the former case, by the input-enabling axiom (El) we know that 
there exists x' such that {a.lstate,a,x.') is a discrete transition of B2. It follows 
that (3 \{E]s^,$) G tracesB2- In the latter case, since (3 \{E]s^,$) = (3' [(£32, 0) and 
(3' [(£'^2)0) £ tracesB2 we get (3 KE]^^,^) G tracesB2- By pasting using Theorem 8.3, 
(3 G traces j^^w^^. Then by Assumption 3, /3 G traces j^^\\q^. 

2. (3 = (3' br, where b is an output action of Bi and r is a point trajectory. 
This case is symmetric with the previous one. 

3. (3 = (3' CT, where c is an input action of both Ai and Bi and r is a point trajectory. 

By inductive hypothesis, (3' G traces j^^\\q^. By projection using Theorem 8.3 we 
get 13' [(£^2)0) £ traces ^^ and /3' [(£^2,0) G tracesB2- Let a be an execution of ^2 
such that trace{a) = (3' [(£^2 1 ^)- Since Ai and ^2 are comparable and a is an input 
action of Ai we know that a is an input action of A2 ■ By the input-enabling axiom 
(El) we know that there exists x' such that (a' .lstate,a,x.') is a discrete transition 
of A2- It follows that (3 [(£^21 ^) ^ traces^^^- Similarly, let a' be an execution of B2 
such that trace{a') = (3' [(£^2) 0)- Since Bi and B2 are comparable and a is an input 
action of Bi we know that a is an input action of B2. By the input-enabling axiom 
(El) we know that there exists y' such that {a'.lstate,a,y') is a discrete transition 
of B2- It follows that (3 [(£^2,0) G tracesB2- By pasting using Theorem 8.3, we get 
13 G traces ^^\\S2- 

4. (3 = (3' dr, where d is an input action of Ai but not an action of Bi and r is a point 
trajectory. 

By inductive hypothesis, (3' G traces^^nf^^. By projection using Theorem 8.3, we 
have 13' \{E^^,^) G traces ^2 ^^^d /?' [(£^2,0) G tracesB2- Let a be an execution 
of A2 such that trace{a) = /?' \{Eji^.^,^). Since Ai and A2 are comparable TIOAs 
and a is an input action of ^1, a must be an input action of A2- By the input- 
enabling axiom (El) we know that there exists x' such that {a.lstate,a,x.') is a 
discrete transition of A2- It follows that (3\{E_^^,$) G traces_^2- Since Bi and 
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^2 are comparable and a is not an action of Bi, a cannot be an external action 
of B2. Therefore, (3\{Eb^,$) = (3' \{Eb^,$). Since (3' KEb^,^) G tracesB^ we get 
/3 [(£'^2,0) G tracesB2- By pasting using Theorem 8.3, we get /3 G traces j^^^b^ ■ 

5. /3 = /3'dT, where d is an input action of Bi but not an action of Ai and r is a point 
trajectory. 

This case is symmetric with the previous one. 

6. (3 = P' ^ /3", where (3" is a hybrid sequence consisting of a single trajectory r. 

By inductive hypothesis, (3' G traces j^^^^b2- By projection using Theorem 8.3, we 
get (3' \{E_^2,$) G traces_^2 ^^^ P' \i^B2T^) G tracesB2- By Assumption 2, we have 
/3' \{Ea2,^) ^ 13" \{Ea2:^) G traces A2 and /3' [(£^^2,0) ^ 13" [(£^2,0) G tracesB2- 
Then by pasting using Theorem 8.3, /3 G i?"acesyi2||B2 5 as needed. 

We have thus shown that every closed trace of ^i||-Si is a trace of ^2||'S2. Now consider 
any non-closed trace /3 of v4i||^i. This /3 can be written as the limit of a sequence 
/3i /32 • • • of closed traces of ^i||Bi. By the first part of the proof we know that each 
I3i G traces j\^^\\B2-> and by projection using Theorem 8.3 each /3j [(£'^2 5 0) is a closed trace 
of A2-, and I3i [(£^2 5 0) is a closed trace of B2. We know that /3 [(£^2 5 0) is the limit of 
the I3i [(£^2 5 0) and similarly (3 [(£^2,0) is the limit of the /3i [(£b2,0)- Since the sets 
traces ^2 and tracesB2 are limit-closed by Assumption 1, we get /3 [(£^21 0) ^ traces ^2 and 
/3 [(£^2,0) G tracesB2- Finally, by pasting using Theorem 8.3, we get /3 G traces j^^\\b2- ■ 

Note that automata with FIN and timing-independence (see Section 4.3.1 for defini- 
tions) constitute examples for context automata A2 and B2 that satisfy Assumptions 1 
and 2. The property FIN implies Assumption 1 (Lemma 4.18) and timing-independence 
implies Assumption 2. 

Theorem 8.7 has a corollary. Corollary 8.8 below, which can be used in the decom- 
position of proofs even when A2 and B2 neither admit arbitrary time-passage nor have 
limit-closed trace sets. The main idea behind this corollary is to assume that Ai imple- 
ments A2 in a context B3 that is a variant of B2, and symmetrically that Bi implements 
B2 in a context that is a variant of A2- That is, the correctness of implementation rela- 
tionship between Ai and A2 does not depend on all the environment constraints, just on 
those expressed by B3 (symmetrically for Bi,B2, and ^3). In order to use this corollary 
to prove ^ill-Si < ^2 1 1 -62 one needs to be able to find appropriate variants of A2 and B2 
that meet the required closure properties. This corollary prompts one to pin down what 
is essential about the behavior of the environment in proving the intended implementa- 
tion relationship, and also allows one to avoid the unnecessary details of the environment 
in proofs. In Section 9 we extend this corollary to the case where properties, typically 
liveness properties, are added to automaton specifications. 
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Corollary 8.8 Suppose Ai, A2, A3, Bi, B2, By, are TIOAs such that Ai, A2, and A3 are 
comparable, Bi, B2, and B3 are comparable, and Ai is compatible with Bi for i G {1,2,3}. 
Suppose further that: 

1. The sets traces ^^^ and traces s^ are closed under limits. 

2. The sets traces^^.^ and tracess^ are closed under t/me- extension. 

3. A2\\B3 < A3\\B3 and A3\\B2 < ^all-Sa- 
4- Ai\\B3 < A2\\B3 and A3\\Bi < A3\\B2. 

ThenAiWBi < A2\\B2. 

Proof: Since A2 < A3 by Assumption 3 and ^iH-Sa < ^2||'S3 by Assumption 4, we 
get Ai\\B3 < A2\\B3 < A3\\B3, by Theorem 8.4. Similarly we have A3\\Bi < ^3] 1^2 < 
^sll^s. Since ^iH-Sa < ^aH-Sa and ^aH-Si < ^aH^a, by using Assumptions 1 and 2, and 
Theorem 8.7 we have v4i||&i < vAall^a. 

Let /3 be a trace of ^i||,8i. By projection using Theorem 8.3, (3 \{E_^^, 0) G traces_^^ 
and (3 [(£'bi,0) G tracess^- Since ^i||-Si < ^aH^a, we know that /3 G traces j^^\\q^. By 
projection using Theorem 8.3, /3[(£'^3,0) G traces ^^^ and /3[(£'b3,0) G tracess^. By 
pasting using Theorem 8.3, we have (3 G traces ^^nf^^ and /3 G traces ^^nf^^. By Assumption 
4, we get /3 G iraces^^UBs ^^^ P ^ ^^ces^gyg^- Then, by projection using Theorem 8.3, 
(3 \{E_^2,$) G traces_^2 ^^^ P \i^B2T^) ^ tracesB2- Finally, by pasting using Theorem 8.3 
we have /3 G traces j^^\\q^, as needed. ■ 

Example 8.9 (Using environment assumptions to prove safety) 

This example illustrates that, in cases where specifications A2 and B2 satisfy certain 
closure properties, it is possible to decompose the proof of ^i||-Si < ^2||'S2 by using 
Theorem 8.7, even if it is not the case that Ai < A2 or Bi < B2. 

The automata AlternateA and AlternateB in Figure 16 are timing-independent au- 
tomata in which no consecutive outputs occur without inputs happening in between. 
AlternateA and AlternateB perform a handshake, outputting an alternating sequence 
of a and b actions when they are composed. The automata CatchUpA and CatchUpB 
in Figure 17 are timing-dependent automata that do not necessarily alternate inputs and 
outputs as AlternateA and AlternateB . CatchUpA can perform an arbitrary number 
of b actions, and can perform an a provided that counta < countb. It allows counta to 
increase to one more than countb. CatchUpB can perform an arbitrary number of a ac- 
tions, and can perform a b provided that counta > countb + 1. It allows countb to reach 
counta. Timing constraints require each output to occur exactly one time unit after the 
last action. CatchUpA and CatchUpB perform an alternating sequence of a actions and 
b actions when they are composed. 
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Automaton AlternateA 
Variables X : discrete myturn 6 Bool initially true 

val{X) 
input b, output a 



States Q : 
Actions A : 
Transitions V 



input b 
effect 

myturn := true 



output a 

precondition 

myturn 
effect 

myturn := false 



Trajectories T : satisfies 

consta.Tat{myturn) 



Automaton AlternateB 
Variables X : discrete myturn 6 Bool initially false 

val{X) 
input a, output b 



States Q : 
Actions A : 
Transitions V 



input a 
effect 

myturn := true 



output b 

precondition 

myturn 
effect 

myturn := false 



Trajectories T : satisfies 

constaxit{myturn) 



Figure 16: Example automata for A2 and B2 in Theorem 8.7 

Suppose that we want to prove that CatchUpA\\CatchUpB < Alternate A\\AlternateB . 
We cannot apply the basic substituvity theorem Theorem 8.7, in particular Corollary 8.5, 
since the assertions CatchUpA < AlternateA and CatchUpB < AlternateB are not true. 
Consider the trace TobTiaT2a T3 of CatchUpA where tq, n, T2 and T3 are trajectories with 
limit time 1. After having performed one b and one a, CatchUpA can perform another 
a. But, this is impossible for AlternateA which needs an input to enable the second a. 
AlternateA and CatchUpA behave similarly only when put in a context that imposes 
alternation. 

It is easy to check that AlternateA and AlternateB satisfy the closure properties 
required by Assumptions 1 and 2 of Theorem 8.7 and, hence can be substituted for A2 
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Automaton CatchUpA 



Variables X : 

States Q : 
Actions A : 
Transitions V 



Trajectories T : 



discrete counta, countb 6 N initially 
analog now 6 R-° initially 
analog next G R-° U {oo} initially 

val{X) 

input b, output a 

input b 
effect 

countb := countb + 1 
next := now + 1 



satisfies 

constant (counta,countb) 
stops when 

now = next 



output a 

precondition 

counta < countb A now = next 
effect 

counta := counta + 1 
next := now + 1 



Automaton CatchUpB 



Variables X : 

States Q : 
Actions A : 
Transitions V 



discrete counta, countb 6 N initially 
analog now 6 R-° initially 
analog next 6 R-° U {oo} initially 

val{X) 

input a, output 6, internal c 

input a 
effect 

counta := counta + 1 
next := now + 1 



Trajectories T : satisfies 

constant (counta,countb) 
stops when 

now = next 



output b 

precondition 

countb + 1 < counta A now = next 
effect 

countb := countb + 1 
next = now + 1 



Figure 17: Example automata Ai and Bi for Theorem 8.7 
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and B2 respectively. Similarly, we can easily check that Assumption 3 is satisfied if we 
substitute CatchUpA for Ai and CatchUpB for Bi. 



Example 8.10 (Extracting essential environment assumptions with auxiliary 
automata) This example illustrates that it may be possible to decompose verification, 
using Corollary 8.8, in cases where Theorem 8.7 is not applicable. If the aim is to show 
^i||Bi < ^2||-B2 where A2 and B2 do not satisfy the assumptions of Theorem 8.7, then 
we find appropriate context automata A3 and B3 that abstract from those details of A2 
and B2 that are not essential in proving ^i||Bi < ^2! 1-62. 

Consider the automata U seOldlnputAandU seOldlnputB in Figure 18. U seOldlnputA 
keeps track of whether or not it is UseOldlnputA^s turn, and when it is UseOldlnputA^s 
turn, it keeps track of the next time it is supposed to perform an output. The number of 
outputs that UseOldlnputA can perform is bounded by a natural number. In the case 
of repeated b inputs, it is the oldest input that determines when the next output will 
occur. The automaton UseOldlnputB is the same as UseOldlnputA (inputs and outputs 
reversed) except that the turn variable of UseOldlnputB is set to false initially. Note 
that UseOldlnputA and UseOldlnputA are not timing-independent and their trace sets 
are not limit-closed. For each automaton, there are infinitely many start states, one for 
each natural number. We can build an infinite chain of traces, where each element in the 
chain corresponds to an execution starting from a distinct start state. The limit of such 
a chain, which contains infinitely many outputs, cannot be a trace of UseOldlnputA or 
UseOldlnputA since the number of outputs they can perform is bounded by a natural 
number. The automaton UseNewInputA in Figure 19 behaves similarly to UseOldlnputA 
except for the handling of inputs. In the case of repeated b inputs, it is the most recent 
input that determines when the next output will occur. The automaton UseNewInputB 
in Figure 19 is the same as UseNewInputA (inputs and outputs reversed) except that the 
turn variable of UseNewInputB is set to false initially. 

Suppose that we want to prove that: 

UseNewInputA\\UseNewInputB < U seOldInputA\\U seOldlnputB . 

Theorem 8.7 is not applicable here because the high-level automata UseOldlnputA 
and UseOldlnputB do not satisfy the required closure properties. However, we can use 
Corollary 8.8 to decompose verification. It requires us to find auxiliary automata that are 
less restrictive than UseOldlnputA and UseOldlnputB but that are restrictive enough 
to express the constaints that should be satisfied by the environment, for UseNewInputA 
to implement UseOldlnputA and for UseNewInputB to implement UseOldlnputB. 

The automata AlternateA and AlternateB in Figure 16 can be used as auxiliary 
automata in this example. They satisfy the closure properties required by Corollary 8.8 
and impose alternation, which is the only additional condition to ensure the needed trace 
inclusion. 
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Automaton UseOldlnputA 



Variables X 



States Q : 
Actions A : 
Transitions V 



discrete myturn 6 Bool initially true 
discrete maxout 6 N initially arbitrary 
analog now 6 R-° initially 
analog next 6 R-° U {oo} initially 

val{X) 

input b, output a 

input b 
effect 

myturn := true 
if next = CX3 
then next := now + 1 



output a 

precondition 

myturn A {maxout > 0) A {now = next) 
effect 

myturn := false 
maxout := maxout — 1 
next := cxs 



Trajectories T : 



satisfies 

constaint{myturn, maxout, next) 
d{now) = 1 
stops when 

now = next 



Automaton UseOldlnputB 



Variables X 



States Q : 
Actions A : 
Transitions V 



discrete myturn 6 Bool initially false 
discrete maxout 6 N initially arbitrary 
analog now € R-° initially 
analog next e R-° U {cxs} initially 

val{X) 

input a, output b 

input a 
effect 

myturn := true 
if next = CX3 
then next := now + 1 



output b 

precondition 

myturn A {maxout > 0) A {now = next) 
effect 

myturn := false 
maxout := maxout — 1 
next := cxs 



Trajectories T : 



satisfies 

constant{myturn, maxout, next) 
d{now) = 1 
stops ^vhen 

now = next 



Figure 18: Example automata for A2 and B2 in Theorem 8.8 
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Automaton UseNewInputA 



Variables X : 

States Q : 
Actions A : 
Transitions V 



Trajectories T : 



discrete myturn 6 Bool initially true 
discrete maxout 6 N initially arbitrary 
analog now 6 R-° initially 
analog next 6 R-° U {oo} initially 

val{X) 

input b, output a 

input b 
effect 

myturn := true 
next := now + 1 



satisfies 

cor\sta.Tiit(myturn, maxout, next) 
A(now) = 1 
stops when 

now = next 



output a 

precondition 

myturn A (maxout > 0) A (now = next) 
effect 

myturn := false 
maxout := maxout — 1 
next := cxs 



Automaton UseNewInputA 



Variables X : 

States Q : 
Actions A : 
Transitions V 



Trajectories T : 



discrete myturn 6 Bool initially false 
discrete maxout 6 N initially arbitrary 
analog now € R-° initially 
analog next e R-° U {cxs} initially 

val(X) 

input a, output b 

input a 
effect 

myturn := true 
next := now + 1 



satisfies 

constant(myturn, maxout, next) 
d(now) = 1 
stops ^vhen 

now = next 



output b 

precondition 

myturn A (count > 0) A (now = next) 
effect 

myturn := false 
maxout := maxout — 1 
next := cxs 



Figure 19: Example automata for Ai and Bi in Theorem 8.8 
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We can define a forward simulation relation from UseNew Input A\\UseNewInputB 
to U seOldInputA\\U seOldlnputB , which is based on the equality of the turn variables 
of the implementation and the specification automata. The fact that this simulation 
relation only uses the equality of turn variables reinforces the idea that the auxiliary 
contexts, which only keep track of their turn, capture exactly what is needed for the proof 
of U seN ewInputA\\U seN ewInputB < U seOldInputA\\U seOldlnputB . We can observe 
that a direct proof of this assertion would require one to deal with state variables such 
as maxout and next of both U seOldlnputA and U seOldlnputB , which do not play any 
essential role in the proof. On the other hand, by decomposing the proof along the lines 
of Corollary 8.8 some of the unnecessary details can be avoided. Even though, this is a 
toy example with an easy proof it should not be hard to observe how this simplification 
would scale to large proofs. 



8.1.3 Composition of Special Kinds of TIOAs 

The following example illustrates that the set of I/O feasible TIOAs is not closed under 
composition: 

Example 8.11 (Two I/O feasible TIOAs whose composition is not I/O feasible) 

Consider two I/O feasible TIOAs A and B, where O^ = Is = {a} and Ob = Ia = {b}- 
Suppose that A performs its output a at time and then waits, allowing time to pass, 
until it receives input b. If and when it receives 6, it responds with output a without 
allowing any time to pass (and ignoring any inputs that occur before it has a chance to 
perform its output). On the other hand, B starts out waiting, allowing time to pass, until 
it receives input a. If and when it receives a, it responds with output b without allowing 
time to pass. 

It is not difficult to see that A and B are individually I/O feasible. We claim that the 
composition A\\B is not I/O feasible. To see this, consider the start state of A\\B and the 
unique input sequence (3 with p.ltime = oo; /3 simply allows time to pass to infinity. The 
composition A\\B has no way of accommodating this input, since it will never allow time 
to pass beyond 0. ■ 

On the other hand, the following theorems say that the classes of progressive and 
receptive TIOAs are closed under composition: 

Theorem 8.12 If Ai and A2 are compatible progressive TIOAs, then their composition 
is also progressive. 

Proof: The proof is similar to the proof of Theorem 7.4 in [22] . The main idea behind the 
proof is that a Zeno execution of ^i||^2 with infinitely many locally controlled contains 
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infinitely many locally controlled actions of either Ai or A2- Suppose without loss of 
generality that the automaton that contributes infinitely many locally controlled actions 
is Ai- Then the projection onto Ai violates progressiveness for Ai- ■ 



Theorem 8.13 Let Ai and A2 be two compatible TIOAs with strategies A'l and A2, 
respectively. Then A'i\\A'2 is a strategy for ^i||^2- 

Proof: The proof is similar to the proof of Theorem 7.7 in [22]. ■ 

Now, we can state the main result of this section, which follows easily from the previous 
two theorems. It shows that the class of receptive TIOAs is closed under composition. 

Theorem 8.14 Let Ai and A2 be two compatible receptive TIOAs with progressive strate- 
gies A'l and A'2, respectively. Then Ai\\A2 is a receptive TIOA with progressive strategy 



Example 8.15 (Composition of receptive TIOAs) Theorem 8.14 implies that the 
composition of clock synchronization automata with channel automata described in Ex- 
ample 5.7 (viewed as TIOAs as explained in Example 7.1) is receptive. By Theorem 7.6 
we also have that it is I/O feasible. ■ 

In fact, the fact that the set of I/O feasible TIOAs is not closed under composition 
motivated the definition of the more restrictive class of receptive TIOAs. That is, recep- 
tiveness is a reasonable sufficient condition that implies I/O feasibility, and that also is 
preserved by composition. 

The special case of the HIOA model, represented by the TIOA model, has simpler and 
stronger composition theorems than the general HIOA model. In particular, the main 
compositionality result for receptive HIOAs (Theorem 7.12 in [22]) has a more intricate 
proof than ours. It makes an assumption about the existence of strongly compatible 
strategies (discussed briefly at the end of Section 8.1.1) and needs an additional lemma 
that shows that if two HIOAs Ai and A2 which may not be strongly compatible have 
strongly compatible strategies A'l and A2, then Ai and A2 are also strongly compatible. 

8.2 Hiding 

We extend the definition of action hiding to any TIOA A. For TIOAs, we consider 
hiding outputs only (but not inputs), by converting them to internal actions. Namely, if 
O C Oa, then ActHide(0, A) is the TIOA B that is equal to A except that Ob = 0^-0 
and Hb = Ha^ O. 
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Lemma 8.16 If A is a TIOA and O C Oa then ActHide(0,^) is a TIOA. 

Lemma 8.17 If A is a TIOA and O C O^ then traces ActHide(0,y4) = {P li^A ~ 0,Va) \ 
(3 G traces a}- 

Theorem 8.18 Suppose A and B are TIOAs with A < B, and suppose O C Oa- Then 
ActHide(0,^) < ActHide(0,B). 

9 Properties for Timed I/O Automata 

In this section, we present some definitions and resuhs for timed I/O automata with 
properties. We focus on the definitions and results, such as those that involve receptiveness 
for properties, that become of interest with the introduction of input, output distinction 
to the model. 

9.1 Definitions and Basic Results 

A property for a timed I/O automaton A = {B, /, O) is defined to be a property of its 
underlying timed automaton, that is, it is a subset of the execution fragments of B. 

Now, we introduce a notion of liveness property that takes into account how a system 
responds to inputs from its environment. A property P for a TIOA A is defined to be 
an I/O liveness property provided that for each closed execution fragment o; of ^ and 
each (7, 0)-sequence /3, there is some execution fragment a' such that a' [(/, 0) = /3 and 
a^ a' & P. In other words, no matter how A behaves for a finite period of time, and no 
matter what inputs arrive, it is still possible for A to continue in some way and satisfy P. 

The following theorem relates I/O feasibility and I/O liveness. An I/O feasible TIOA 
can be characterized by the fact that its set of execution fragments form an I/O liveness 
property. 

Theorem 9.1 A TIOA is I/O feasible if and only if its set of execution fragments is an 
I/O liveness property. 

Proof: Fix A, a TIOA. First, assume that A is I/O feasible. Let o; be a closed execution 
fragment of A with a.lstate = x and let (3 be an (7, 0)-sequence. I/O feasibility of A 
implies that there is some a' from x such that a' [(/, 0) = (3. Since a ^ a' G frags a, we 
can conclude that the set of execution fragments frags a of A is an I/O liveness property. 

For the converse, suppose that the set of execution fragments of A is an I/O liveness 
property. Let x be a state of A and (3 be an (7, 0)-sequence. Since the set of execution 
fragments of A is an I/O liveness property, there must be some a' such that p(x) ^ «' G 
frags A and a' [(7, 0) = (3. Clearly, (p(x) '^ a') \{I, 0) = (3, and therefore A is I/O feasible. 
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9.2 Composition 

The following projection and pasting theorem for TIOAs with properties follows from a 
similar theorem, Theorem 6.24, for TAs with properties. 

Theorem 9.2 Let Ai and A2 be two compatible TAs and Pi and P2 be properties for Ai 
and A2, respectively. Then ^™ces(^j||^2,Pi||P2) *^ exactly the set of {E,$)- sequences whose 
restrictions to Ai and A2 are traces i^j^^^p^-^ and traces i^j^^^p^-^, respectively. That is, 

iraces(^j||^2,Pi||P2) = {P \ P is an {E,$) -sequence and (3 \{Ei,$) G traces (^j^.^p.^,i G {1,2}}. 

Theorem 8.7 and its corollary presented in Section 8 assume specification automata 
whose trace sets are closed under limits, and hence express safety constraints. In this 
section we present a theorem that can be used in the decomposition of verification where 
the specification automata may also express liveness properties. 

The decomposition of a proof of the assertion {Ai,Pi)\\{Bi,Qi) < {A2,P2)\\iB2,Q2) 
can be viewed as consisting of two parts. The first part involves the decomposition of the 
proof that (Ai, Pi) and (Bi, Qi) satisfy their safety properties and the second part involves 
the decomposition of the proof that (Ai, Pi) and (Bi, Qi) satisfy their liveness properties. 
Theorem 9.3 uses Corollary 8.8 for the safety part of proofs; the first four hypotheses 
of Theorem 9.3 imply those of Corollary 8.8. The remaining two hypotheses involve 
the liveness part of proofs. It requires one to find auxiliary automata with properties, 
(.43, P3) and (B3, Qz), such that (Ai, Pi) implements {A3, P3) in the context of B3 without 
relying on the liveness property of B3, and {Bi, Qi) implements (B3, Q3) in the context of 
A3 without relying on the liveness property of A3. Moreover, (.4i,Pi) must implement 
{A2, P2) in the context of {B3, Q3) and (Bi, Qi) must implement {B2, Q2) in the context of 
(.43, P3). That is, the implementation relation between (.4i,Pi) and {A2,P2) depend on 
the liveness property Q3 of the auxiliary context, and the implementation relation between 
(Bi, Qi) and {B2, Q2) depend on the liveness property P3 of the auxiliary context. 

Theorem 9.3 Suppose Ai, A2, A3, Bi, B2, B3 are TIOAs such that Ai, A2, and A3 are 
comparable, Bi, B2, and B3 are comparable, and Ai is compatible with Bi for i G {1,2,3}. 
Suppose that Pi is a property for Ai and Qi is a property for Bi for i G {1, 2, 3}. Suppose 
further that: 

1. The sets traces ji^^^ and traces s-j, are closed under limits. 

2. The sets tracesj^.^^ and tracess^ are closed under time-extension. 

3. A2 < A3 and B2 < B3. 

4- Ai\\B3 < A2\\B3 and ^3pi < ^311-62. 
5. (Ai,Pi)\\{B3, frags s^) < {A3, P3)\\{B3, frags s^) and 
iA3, frags ^^)\\iBi,Qi) < {A3,frags^^)\\iB3,Q3). 
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6. {Ai,Pi)\\{B^,Qz) < (^2,^2)11(^3,^3) and 

(^3,P3)||(Bl,gi)< (^3,^3)11(^2,^2). 

Then {AuPi)\\{BuQi) < (^2,^2)11(^2,^2). 

Proof: Let /3 G iraces^^^ pj^y^gj g^). By definition of composition for automata with 
properties, /3 G traces i^j^^\\Q^y By Assumptions 1, 2, 3 and 4 and Theorem 8.8, we have /3 G 
iraces(^2||B2)- -^Y projection using Theorem 8.3, /3 [(£'^2,^^) ^ iraces^2 ^^^ P [(-^62, 0) ^ 
tracesB2- By Assumption 3, /3 [(£'^2,^^) ^ iraces^g and /3 [(£'^2,!^) ^ tracess^- Since ^2 
and ^3 are comparable, /3 [(£^2,0) = /3 [(£^3,0) and /3 [(£^2,0) = /3 [(^Bs,^). There- 
fore, /3 [(£^3,0) G iraces^g and /3 [(£^3,0) G tracessg- 

By projection using Theorem 9.2, we have /3 [(£^1, 0) G traces (^j^^ ^p^^ and /3 [(£bi, 0) G 
traces (f^^^Q^y By pasting using Theorem 9.2, we have /3 G traces (^jp^^i^ggj^gg ^ and 
/3 G iraces(Bj,Qj)||(^3,^«g,_^^). By Assumption 5, we have /3 G traces (j^^^p^^w^^^j^^g,^^^ and 
/3 G ^races(B3,Q3)||(^3,^ags_^_^). By projection using Theorem 9.2, we get /3[(£^3,0) G 
iraces(^3^P3) and /3[(£b3,0) G traces (^j^^^q^y Since /3[(£^j,0) G iraceS)-^^ p^), by past- 
ing using Theorem 9.2, we have /3 G tf'o.cesi^j^^^py^wi^Q^^Q^y similarly since /3[(£bi,0) G 
traces^Si,Qi), we have /3 G fraces(Bj,Qj)||(^3,P3). ■ 

Example 9.4 (Using environment assumptions to prove liveness)This example 
illustrates the use of Theorem 9.3 in decomposing the proof of an implementation relation- 
ship where the implementation and specification are not merely composition of automata 
but composition of automata that satisfy some liveness property. 

Let U seOldlnputA' , UseOldlnputB' , UseNewInputA' , and UseNewInputB' be au- 
tomata which are defined exactly as UseOldlnputA, UseOldlnputB , UseNewInputA, 
and UseNewInputB from Example 8.10 except that there is no bound on the number of 
outputs that the automata can perform. That is, maxout is removed from their sets of 
state variables. Let Pi,P2,Qi and Q2 be properties for, respectively, UseNewInputA' , 
UseOldlnputA', UseNewInputB' and UseOldlnputB' defined as follows: 

• Pi consists of the admissible execution fragments of UseNewInputA' . 

• Qi consists of the admissible execution fragments of UseNewInputB' . 

• P2 consists of the execution fragments of UseOldlnputA' that contain infinitely 
many a actions. 

• Q2 consists of the execution fragments of UseOldlnputB' that contain infinitely 
many b actions. 

Suppose that we want to prove that: 

{UseNewInputA', Pi)\\{U seNewInputB' , Qi) < {UseOldlnputA', P2MU seOldlnputB' , Q2) 
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The automata U seN ewInputA' \\U seN ewInputB' and UseOldInputA'\\UseOldInputB' 
perform an alternating sequence of a and b actions. The properties express the additional 
condition that as time goes to infinity the composite automaton U seN ewInputA' \\U seN ewInputB' 
performs infinitely many a and infinitely many b actions where a and b actions alternate. 

As in Example 8.10 automata Alternate A and AlternateB from Figure 16 satisfy the 
required closure properties for auxiliary automata and capture what is essential about 
the safety part of the proof, namely that the environments of U seN ewInputA' and 
U seN ewInputB' impose alternation. The essential point in the proof of the liveness 
part is that each automaton responds to each input it receives from its environment. 
Therefore, we need to pair AlternateA and AlternateB with properties that eliminate 
non-responding behavior. The properties P3 and Q3 defined below satisfy this condition: 

• P3 consists of execution fragments a of AlternateA that satisfy the following condi- 
tion: if a has finitely many actions then the last action in a is a. 

• Qs consists of execution fragments a of AlternateB that satisfy the following condi- 
tion: if a has finitely many actions and contains at least one a then the last action 
in a is b. 

In order to see why the first part of Assumption 5 is satisfied we can inspect the 
definition of U seN ewInputA and observe that U seN ewInputA performs an output a one 
time unit after each input 6, when it is composed with AlternateB . This implies that 
in any admissible execution fragment of U seN ewInputA\\AlternateB with finitely many 
actions the last action must be a. This is exactly the liveness constraint expressed by P3. 
The second part of Assumption 5 can be seen to hold using a symmetric argument. 

In order to see why the first part of Assumption 6 holds consider any execution fragment 
/3 of UseNewInputA\\AlternateB. For /3 to satisfy Pi and Qs at the same time, it must 
consist of an infinite sequence in which a and b actions alternate. It is not possible for 
U seN ewInputA\\AlternateB to have an admissible execution fragment with finitely many 
actions because the definition of U seN ewInputA requires such a sequence to end in a while 
this is ruled out by Q3, which requires AlternateB to respond to a. The second part of 
Assumption 6 can be seen to hold using a symmetric argument. 

Note that in our explanations we refer to execution fragments rather than traces of 
execution fragments. This is because our examples do not include any internal actions 
and our arguments for execution fragments extend to trace fragments in a straightforward 
way. ■ 



9.3 Receptiveness for Properties 

If we would define a live TIOA to be a pair {A-, L) of a TIOA A coupled with an I/O liveness 
property L then the resulting class of systems would not be closed under composition. The 

119 



problem, and this was noted already in previous studies of liveness properties for timed 
I/O automata such as [36], is that this definition allows a system to choose its relative 
speed with respect to the environment, and to base its decisions on the future behavior of 
the environment. As a result, the live preorder is not substitutive for parallel composition. 
To solve these problems, previous studies have introduced notions of receptive strategies 
to guarantee that a system does not constrain its environment. The TIOA framework 
incorporates a simpler (although less general) notion of strategy than those considered in 
previous work on timed I/O automata [36]. 

We begin with a definition of receptiveness for a property. Let ^ be a TIOA and let 
P be a property for A, that is, a subset of the execution fragments of A. Then we say 
that A is receptive for P provided that there exists a strategy A' for A such that every 
execution fragment of A' is in P. That is, A has a strategy that can always ensure that 
P is satisfied (regardless of the behavior of the environment). 

The following theorem shows that if „4 is receptive for P and P is history-independent, 
then we can conclude that P is a liveness property for A. Theorem 9.6 strengthens this 
result: if we also know that P consists of non-locally-Zeno execution fragments, then P 
must be an I/O liveness property. 

Theorem 9.5 // a TIOA A is receptive for P and P is history -independent then P is a 
liveness property for A. 

Proof: Suppose that A is receptive for P. That is, A has a strategy A' such that 
frags jy C P. Let o; be a closed execution fragment of A with a.lstate = x. Since 
Qa = Qa'^ we know that x G Qa'- Now, we need to show that there exists some a' such 
that a ^ a' ^ P. Let a' = p(x). We know that p(x) G frags j^ by axiom TO. Since 
frags j^i '^ P, a' & P. Since P is history-independent o; ^ a' G P, as needed. ■ 

Theorem 9.6 // a TIOA A is receptive for P and P is a history-independent property for 
A consisting of non-locally-Zeno execution fragments, then P is an I/O liveness property 
for A. 

Proof: Suppose A is receptive for P. Then there exists a strategy A' for A such that 
frags jy C P. Since all elements of P are non-locally-Zeno, it follows that every element 
in frags j^i is non-locally-Zeno, equivalently. A' is progressive. By Theorem 7.4, we know 
that any progressive strategy is I/O feasible. 

Now, let q; be a closed execution fragment of A with a.lstate = x and let /3 be an 
(/, 0)-sequence. Since Q_^ = Qj^i, we have x G Q^', and since A! is I/O feasible, there 
exists some execution fragment a' of A' from x such that a' [(/, 0) = /3. Since a' & P and 
P is history-independent we have that o; ^ a' G P. Hence, P is an I/O liveness property 
for A. ■ 
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The need for the history- independence assumption for the two theorems above stems 
from the fact that strategies of our framework are memoryless whereas Uveness properties 
are defined in terms of the possibiUty of extending every closed execution fragment to a 
Uve execution fragment. The history-independence assumption might become unnecessary 
if we defined strategies to have memory while keeping the Uveness property definition as 
is. Alternatively, we could change the definition of a Uveness property to a non-standard 
one such that a property P for A is defined to be a Uveness property provided that for 
any state x of A, there is some execution fragment a from x that is in P. 

The following is a basic theorem that has nice consequences for composition of au- 
tomata with Uveness properties. Together with Theorems 9.5 and 9.6, it can be used for 
compositional reasoning about TIOAs with Uveness properties. 

Theorem 9.7 Let Ai and A2 be two compatible TIOAs. If Ai is receptive for Pi and A2 
is receptive for P2 then Ai\\A2 is receptive for Pi\\P2. 

Proof: The proof follows from Theorem 8.13 and the definition of composition of prop- 
erties -P1II-P2 from Section 6. ■ 



10 Conclusions 

In this paper, we have defined a new timed I/O automaton modeling framework for de- 
scribing and analyzing the behavior of timed systems. This framework is a special case of 
the recently presented hybrid I/O automaton modeling framework [22]. We used what we 
have learned in developing the HIOA framework to revise the earlier work on timed I/O 
automaton models. Our main motivation was to have a timed I/O automaton model that 
is compatible with the new HIOA model. We sought to benefit from the new style used 
in describing hybrid behavior in simplifying the prior definitions and results on timed 
I/O automata. Moreover, we extended the work on the HIOA model by investigating 
safety and Uveness properties and receptiveness for general Uveness, not only for feasibil- 
ity as in the HIOA framework. The results presented in this paper suggest that we are 
not that far from having a unified framework for timed and hybrid systems in which we 
can collect and summarize previous results of our own work. We have also established 
formal relationships with other models that are comparable to ours, showing that the 
TIOA framework is general enough to express previous results from other frameworks, 
such as [29, 28, 6, 27, 25, 36]. 

Designers of real-time systems or timing-based algorithms can use the TIOA frame- 
work to describe complex systems and to decompose them into manageable pieces. In 
particular, they can use the TIOA framework to describe their systems at multiple lev- 
els of abstraction, to establish implementation relationships between these levels and to 
decompose their systems into more primitive, interacting components. 
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The TIOA framework supports precise statement and verification of safety, liveness, 
and performance properties of timing-dependent systems. Since the TIOA framework is 
purely mathematical, proofs are generally done by hand at present. However, the TIOA 
framework provides a natural basis for computer support tools, which will be developed 
in the future as an extension to the lOA toolkit [13]. These tools include a syntax and 
static semantics checker for TIOA specifications, a simulator and partially automated proof 
tools that employ dynamic invariant detection techniques. There is also work in progress 
toward a tool to automatically translate TIOA specifications into the input language of 
UPPAAL [32, 21], which is discussed in more detail in Section 1.2. This would allow 
us to benefit from fully automated methods in verifying TIOAs that are expressible in 
UPPAAL. 
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A Notational Conventions 



a,b 


action 


f,9,h 


function 


ij 


index 


I 


locally controlled action 


t 


time point 


v,x 


variable 


A 


set of actions 


C 


task 


E 


set of external actions 


F 


set of functions 


H 


set of internal (hidden) actions 


I 


set of input actions 


J 


interval 


K 


set of time points 


L 


set of locally controlled actions 





set of output actions 


P 


set of elements in cpo 


Q 


set of automaton states 


R 


(simulation) relation 


S 


set 


T 


set of trajectories 


V 


set of variables 


X 


set of internal variables 


X 


state 


V 


valuation 


A,B,C 


timed (I/O) automaton 


V 


set of discrete transitions 


T 


set of trajectories 


N 


the natural numbers 


R 


the real numbers 


T 


the time axis 


Z 


the integers 


V 


the universe of variables 


a,/3,^ 


{A, F)-sequence 


7 


sequence 


A 


the empty sequence 


TT 


projection function 


a,p 


sequence 


T, V 


trajectory 


e 


set of start states 
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Index 



[A, y)-restriction, 19 
[A, y)-sequence, 17 

abstraction, 5 

admissible, 17, 19, 88 

Alur-Dill timed automaton, 8, 37, 38, 77 

analog, 14 

analog variable, 22 

assume-guarentee, 105 

backward simulation, see simulation rela- 
tion, 48 

chain, 11 

clock synchronization, 27, 44 

ClockSync, 29, 58, 98 

comparable 

TA, 39 

TIOA, 102 
compatible 

TA, 55 

TIOA, 103 
complete partial order, 11 
composition, 5, 55, 103 
congruence, 73 
cpo, see complete partial order 

discrete 

variable, 14 
discrete action, 20 
discrete transition, 20 
discrete variable, 14, 22 
dynamic type, 13 

effect, 22 
enabled, 20 
execution, 30, 98 

PeriodicSend, 32 

Timeout, 32 
execution fragment, 30, 31, 98 



fair forward simulation, see simulation rela- 
tion 
fairness property, see property 
feasible, 37 

FIN, see finite internal nondeterminism, 107 
finite internal nondeterminism, 35 
Fischer's mutual exclusion, 26, 33, 71 
FischerME, 27 
FischerME2, 71 
forward simulation, see simulation relation 

clock synchronization, 44 

time-bounded channels, 43 

hiding, 62 

HIOA, 6, 104 

history relation, 50, 51, 103 

time-bounded channels, 53 
history variable, 50, 51 

time-bounded channels, 50 
history-independent property, see property 
hybrid automaton, 21, 55 
Hybrid I/O Automaton modeling framework, 

6, 122 
hybrid sequence, 16 

admissible, 17 

closed, 17 

concatenation, 18 

limit time, 17 

prefix, 18 

time-bounded, 17 

Zeno, 17 
HyTech, 8 

I/O feasible, 99, 114 

I/O liveness property, see property 

implementation, 5, 39 

invariant, 31 

clock agreement, 60 

clock validity, 59, 60 

ClockSync, 59, 60 
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failure and timeout, 58 
FischerME, 33, 34 
TimedChannel, 33 
timeout, 57 
isomorphism, 46 

limit, 11 

linear hybrid automaton, 8 
liveness property, see property 
locally Zeno, 98 

machine- closed, 83-85 
machine-closure, 6 

non-Zeno, 17, 19 

parallel composition, see composition 
partial order, 11 

complete partial order, 11 
periodic sending process, 24, 32 
periodic sending process with failures, 24 
PeriodicSend, 24, 56 
PeriodicSend2, 57 
PeriodicSend2, 25 
point trajectory, see trajectory 
precondition, 22 
progressive, 99, 102 
property, 81, 116 

fairness, 6, 86 

history-independent, 88 

I/O liveness, 116 

liveness, 6, 82, 89, 116, 118 

safety, 6, 81, 89 
prophecy relation, 53, 103 
prophecy variable, 53 

reachable, 31 
receptive, 102, 115 
receptiveness, 6, 100 
receptiveness for a property, 120 
refinement, 46 

safety property, see property 
sequence, 10 



simulation relation, 5, 41 

backward simulation, 41, 47, 103 

forward simulation, 41, 102 

refinement, 46 
static type, 13 
stopping condition, 23 
strategy, 100, 101 
strongly fair, 87 
substitutivity, 61, 62, 104, 105 
suffix, 31 

TA, see timed automaton 
TA with bounds, 65 
task, 65 

lower bound, 66 

upper bound, 66 
time axis, 13 
time interval, 13 

time-bounded channel, 23, 33, 43, 50, 53 
timed automaton, 20 
timed automaton model, 20 
Timed I/O automaton, 5, 97 
Timed Input/Output Automaton modeling 

framework, 5 
TimedChannel, 23, 56, 57, 98 
Timeout, 26, 56, 57 
timeout process, 25, 32 
timing-independent, 37, 107 
TIOA, see Timed I/O automaton 
trace, 5, 31, 98 

PeriodicSend, 32 

Timeout, 33 
trace fragment, 31, 98 
trajectory, 14, 20 

concatenation, 15 

limit time, 15 

point trajectory, 14, 17 

prefix, 15 

untimed automaton, 12 
untiming, 71, 73 
UPPAAL, 8, 123 

variables, 13, 14, 20 
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analog, 14 

discrete, 14 

dynamic types, see static type 

static type, see static type 

weakly fair, 87 

Zeno, 6, 17, 34, 88 



130 



